fix(ci): fix solidity analysis workflow issues

[yorhodes]

Summary

Fixes issues with the solidity analysis CI workflows:

1. Changeset CLI fails in shallow clones - The pnpm changeset status command uses git merge-base internally, which fails in CI shallow clones (fetch-depth: 1) with:

   Error: Failed to find where HEAD diverged from "main". Does "main" exist?
   

   Solution: Parse .changeset/*.md files directly instead of using the CLI. This extracts the package bump levels from YAML frontmatter without requiring git history.

2. Bytecode check fails with Foundry v1.5.0+ - The CI profile in foundry.toml sets cbor_metadata = false but was missing bytecode_hash = "none". Newer Foundry versions require this combination.

Root Cause

This is a known limitation of the changesets CLI documented in changesets/changesets#700 (open since December 2021). Multiple users have reported the same issue across GitHub Actions, Azure DevOps, and Bitbucket.

As one commenter noted:

"Can someone explain to me why does the status actually need to work with GIT at all. Shouldn't it just be checking the existence of MD files..."

Since there's no upstream fix, parsing the changeset files directly is a reliable workaround that works in all CI environments.

References

• Fixes issue introduced in feat(ci): add changeset validation to solidity analysis workflows #7801 (changeset validation)
• Fixes issue introduced in fix: strip CBOR metadata for bytecode comparison #7702 (bytecode analysis)
• Related upstream issue: changeset status succeeds locally, fails in CI with a changeset file verifiably present changesets/changesets#700

Summary by CodeRabbit

• Chores
  • Enhanced internal changeset validation process for build consistency.
  • Updated continuous integration build configuration settings.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 94588d7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude finished @yorhodes's task in 41s —— View job

---

Security Review Summary

Overview

This PR fixes two CI-related issues in the Solidity analysis workflows. Since the changes are limited to CI infrastructure (shell script and Foundry configuration), they don't involve smart contract code modifications.

---

File 1: .github/scripts/check-solidity-changeset.sh

Change: Added file existence check before reading the changeset status JSON file (lines 25-29).

Security Analysis:

• No security vulnerabilities found. The change is a defensive guard that prevents jq from failing when the output file doesn't exist.
• The script uses set -euo pipefail which provides proper error handling.
• The trap on line 20 (trap "rm -f $STATUS_FILE" EXIT) ensures cleanup of temporary files.
• The STATUS_FILE uses $$ (PID) suffix which provides uniqueness but is predictable - this is acceptable since the file is created and consumed locally within the same script execution.
• Variable expansion in the jq command (--arg pkg "$PACKAGE") properly escapes the value, preventing command injection.

Correctness: The fix properly handles the edge case where pnpm changeset status doesn't create an output file.

---

File 2: solidity/foundry.toml

Change: Added bytecode_hash = "none" to the CI profile (line 22).

Security Analysis:

• No security impact. This is a build configuration change that affects metadata embedding in compiled bytecode.
• Setting bytecode_hash = "none" along with cbor_metadata = false is the correct combination for Foundry v1.5.0+ when you want to disable metadata for bytecode comparison.
• This configuration only applies to the [profile.ci] section, so it won't affect production builds using the default profile.

Correctness: This correctly addresses the Foundry v1.5.0+ compatibility issue where cbor_metadata = false requires bytecode_hash = "none".

---

Verdict

Severity: None (No Security Issues)

This PR is a straightforward CI fix with:

• No smart contract code changes
• No security vulnerabilities in the shell script
• Proper defensive programming patterns already in place
• Correct handling of the Foundry configuration requirements

The changes look good to merge.

---

Tasks

• Read changed files and understand the PR context
• Analyze shell script changes for security and correctness
• Analyze Foundry config changes
• Provide security review summary

[coderabbitai]

Warning

Rate limit exceeded

@yorhodes has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 10 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e1c34f178aaab3de00a5cbc30185c215ddcbe47d and 94588d7.

📒 Files selected for processing (6)

• .github/scripts/check-diff-changeset.sh
• .github/scripts/check-solidity-changeset.sh
• .github/workflows/bytecode-analysis.yml
• .github/workflows/interface-analysis.yml
• .github/workflows/storage-analysis.yml
• solidity/foundry.toml

📝 Walkthrough

Walkthrough

Replaces JSON-based changeset-status lookup with direct parsing of .changeset/*.md files in the CI script; adds bytecode_hash = "none" to the solidity/foundry.toml CI profile.

Changes

Cohort / File(s)	Summary
Changeset check script .github/scripts/check-solidity-changeset.sh	Replaces reliance on a JSON status file with direct scanning/parsing of .changeset/*.md to determine required bump level; introduces level_to_num mapping and file-discovery logic, retains numeric comparison and exit behavior.
Foundry CI profile solidity/foundry.toml	Adds bytecode_hash = "none" under [profile.ci] alongside existing cbor_metadata = false.

Sequence Diagram(s)

(Skipped — change is small and sequence visualization not required.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(ci): add changeset validation to solidity analysis workflows #7801: Modifies the same changeset validation script to adjust how bump levels are determined — strongly related.

Suggested reviewers

• ltyu
• larryob
• paulbalaji

Poem

A wee tweak in the script, no faff or fuss,
We read the .changeset files — honest and thus,
CI hums neater, bytecode trimmed down,
No mystery hashes to clog up the town,
Smooth as a swamp stroll at dusk. 🐸✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: fixing CI workflow issues related to Solidity analysis (changeset CLI and bytecode checks).
Description check	✅ Passed	The description covers all required template sections with detailed explanations of the problems, solutions, and references, though Testing section is missing.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-ci-analysis-checks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (d14275f) to head (94588d7).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7808   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         117      117           
  Lines        2651     2651           
  Branches      244      244           
=======================================
  Hits         2042     2042           
  Misses        593      593           
  Partials       16       16           

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[larryob]

LGTM. I'm not sure that this fixes the error seen in jobs like the following since the PR has a changeset: https://github.com/hyperlane-xyz/hyperlane-monorepo/actions/runs/21082393759/job/60638835659?pr=7668.

[claude]

Claude finished @yorhodes's task in 1m 16s —— View job

---

Trail of Bits Security Analysis

• Review changed files for security issues
• Analyze shell script for command injection vulnerabilities
• Check Foundry configuration changes
• Investigate the error from PR feat(igp): add ERC20 token fee support for gas payments #7668 mentioned in review

---

Security Findings

Severity: None (No Security Issues)

This PR modifies CI infrastructure files only - no smart contract code changes.

---

1. Shell Script Analysis (.github/scripts/check-solidity-changeset.sh)

Changes:

• Added debug output for environment information
• Added explicit file existence check before running jq
• Changed from 2>/dev/null || true to capturing exit code explicitly

Security Review:

Check	Status
Command injection via $REQUIRED_LEVEL	✅ Safe - only used in case statement
Command injection via $PACKAGE	✅ Safe - hardcoded value
Command injection via $STATUS_FILE	✅ Safe - uses $$ (PID) for uniqueness
jq argument injection	✅ Safe - --arg pkg properly escapes values
Temp file cleanup	✅ Safe - trap ensures cleanup on exit
set -euo pipefail	✅ Present - proper error handling

Note: The $$ PID-based filename is predictable but acceptable for this use case since the file is created and consumed locally within the same script execution.

---

2. Foundry Configuration Analysis (solidity/foundry.toml)

Change: Added bytecode_hash = "none" to [profile.ci] section.

Security Review:

• ✅ This setting only affects the CI profile, not production builds
• ✅ Required for Foundry v1.5.0+ compatibility when cbor_metadata = false
• ✅ No security impact - this controls metadata embedding in compiled bytecode

---

3. Response to Larry's Review Comment

Larry noted uncertainty about whether this fixes the error in PR #7668.

Analysis: Looking at the original script on main, the issue was:

pnpm changeset status --output "$STATUS_FILE" 2>/dev/null || true

This would suppress errors AND ignore the exit code, then proceed to run jq on a file that might not exist. The new code:

1. Removes 2>/dev/null to show error output
2. Captures the exit code explicitly
3. Critically: Checks if the file exists before proceeding

The fix addresses the root cause: if pnpm changeset status fails to create the output file for any reason (not just missing changesets), the script now fails with a clear error message instead of a cryptic jq error.

However, this PR adds debug output which is appropriate for investigation but may be verbose for production. Consider removing the DEBUG: lines once the issue is resolved.

---

Hyperlane-Specific Concerns

Concern	Applicable
Reentrancy in message handling	❌ No contract changes
Access control on privileged functions	❌ No contract changes
Merkle proof verification correctness	❌ No contract changes
Domain ID validation	❌ No contract changes
ISM threshold and validator set security	❌ No contract changes
Warp route collateral accounting	❌ No contract changes

---

Verdict

Approved from a security perspective. This is a straightforward CI fix with proper defensive programming. The changes improve error handling and debugging without introducing vulnerabilities.

[claude]

Claude finished @yorhodes's task in 52s —— View job

---

Trail of Bits Security Analysis

• Analyze PR context and changed files
• Review shell script for security vulnerabilities
• Review Foundry configuration changes
• Address Larry's review comment about PR feat(igp): add ERC20 token fee support for gas payments #7668
• Provide final security assessment

---

Scope

This PR modifies CI infrastructure only - no smart contract code changes. Therefore, the Trail of Bits smart contract vulnerability analysis (building-secure-contracts, differential-review for Solidity, etc.) is not applicable here.

---

Security Findings

Severity: None (No Security Issues)

---

1. Shell Script Analysis (.github/scripts/check-solidity-changeset.sh)

Security Check	Status	Details
Command injection via $REQUIRED_LEVEL	✅ Safe	Only used in case statement matching (line 58-60)
Command injection via $PACKAGE	✅ Safe	Hardcoded value @hyperlane-xyz/core (line 10)
Command injection via $STATUS_FILE	✅ Safe	Uses $$ (PID) for uniqueness, consumed locally
jq argument injection	✅ Safe	--arg pkg "$PACKAGE" properly escapes values (line 54)
Temp file cleanup	✅ Safe	trap "rm -f $STATUS_FILE" EXIT ensures cleanup (line 20)
Error handling	✅ Present	set -euo pipefail at script start (line 7)

Changes reviewed:

• Added debug output for environment visibility
• Added main branch fetch for shallow clones in CI
• Changed from 2>/dev/null || true to explicit exit code capture (set +e/set -e)
• Added file existence check before jq parsing

---

2. Foundry Configuration Analysis (solidity/foundry.toml)

Change: Added bytecode_hash = "none" to [profile.ci] section (line 22).

Check	Status
Scope limited to CI profile	✅ Yes - only affects CI builds, not production
Required for Foundry v1.5.0+	✅ Correct - cbor_metadata = false requires this
Security impact	✅ None - controls metadata embedding only

---

3. Response to Larry's Review Comment

Larry noted uncertainty about whether this fixes the error in PR #7668 job.

Analysis: The original script had:

pnpm changeset status --output "$STATUS_FILE" 2>/dev/null || true

This would:

1. Suppress stderr (2>/dev/null)
2. Ignore exit codes (|| true)
3. Proceed to run jq on a potentially non-existent file

The fix addresses this by:

1. Showing stderr for debugging
2. Capturing the exit code explicitly
3. Critically: Checking if the file exists before proceeding (lines 45-51)

If pnpm changeset status fails to create the output file for any reason (shallow clone issues, missing main branch, no changesets, etc.), the script now fails with a clear error message instead of a cryptic jq error like null: argument 1 is null.

The additional main branch fetch (lines 30-33) specifically addresses the shallow clone issue that was likely causing the PR #7668 failure - changeset status needs the base branch to compare against.

---

Hyperlane-Specific Security Concerns

Concern	Applicable
Reentrancy in message handling	❌ No contract changes
Access control on privileged functions	❌ No contract changes
Merkle proof verification correctness	❌ No contract changes
Domain ID validation	❌ No contract changes
ISM threshold and validator set security	❌ No contract changes
Warp route collateral accounting	❌ No contract changes

---

Verdict

Approved from a security perspective. This is a straightforward CI fix with proper defensive programming:

• Shell script follows security best practices
• No command injection vulnerabilities
• Proper error handling and cleanup
• Foundry configuration change is correct for v1.5.0+ compatibility

The debug output is appropriate for diagnosing CI issues and should help identify root causes of future failures.

---

[claude]

Claude finished @yorhodes's task in 1m 18s —— View job

---

Trail of Bits Security Analysis

• Analyze PR context and changed files
• Review shell script for security vulnerabilities
• Review Foundry configuration changes
• Verify Larry's review comment concerns about PR feat(igp): add ERC20 token fee support for gas payments #7668
• Provide final security assessment

---

Scope

This PR modifies CI infrastructure only - no smart contract code changes. The Trail of Bits smart contract vulnerability analysis (building-secure-contracts, differential-review, property-based-testing, variant-analysis) is not applicable to this PR.

---

Security Findings

Severity: None (No Security Issues)

---

1. Shell Script Analysis (.github/scripts/check-solidity-changeset.sh)

The script has been completely rewritten to parse changeset files directly instead of using pnpm changeset status --output.

Security Check	Status	Details
Command injection via $REQUIRED_LEVEL	✅ Safe	Only used in case statement matching (line 30)
Command injection via $PACKAGE	✅ Safe	Hardcoded value @hyperlane-xyz/core (line 10)
Command injection via $CHANGESET_FILES	✅ Safe	Used in for loop, files validated with [ -f "$file" ]
awk script injection via $PACKAGE	✅ Safe	Passed via -v pkg="$PACKAGE" which escapes properly
Path traversal	✅ Safe	find is scoped to .changeset with -maxdepth 1
Error handling	✅ Present	set -euo pipefail at script start (line 7)

Key Change: The new approach parses changeset markdown files directly using find + awk instead of relying on pnpm changeset status --output. This is more robust as it:

1. Doesn't depend on changeset CLI behavior
2. Doesn't require git history/comparison against main branch
3. Works reliably in shallow clones

---

2. Foundry Configuration Analysis (solidity/foundry.toml)

Change: Added bytecode_hash = "none" to [profile.ci] section (line 22).

Check	Status
Scope limited to CI profile	✅ Yes - only affects CI builds, not production
Required for Foundry v1.5.0+	✅ Correct - cbor_metadata = false requires this
Security impact	✅ None - controls metadata embedding only

---

3. Response to Larry's Review Comment

Larry noted uncertainty about whether this fixes the error in PR #7668 job.

Analysis of the #7668 Failure:

From the job log (line 594):

jq: error: Could not open file .changeset-status-6150.json: No such file or directory

The OLD script used:

pnpm changeset status --output "$STATUS_FILE" 2>/dev/null || true
FOUND_LEVEL=$(jq -r ... "$STATUS_FILE")

This failed because:

1. pnpm changeset status --output requires git history to compare against the base branch
2. In CI's shallow clone environment, this comparison often fails silently
3. The || true suppressed the error but didn't create the file
4. jq then failed trying to read a non-existent file

Does This PR Fix It?

Yes, definitively. The script has been completely rewritten to:

1. Use find .changeset -name "*.md" to locate changeset files directly
2. Parse YAML frontmatter using awk instead of relying on CLI output
3. Remove all dependency on pnpm changeset status and its git comparison logic

This approach is fundamentally more robust because it reads changeset files directly from disk rather than depending on git history operations.

---

Hyperlane-Specific Security Concerns

Concern	Applicable
Reentrancy in message handling	❌ No contract changes
Access control on privileged functions	❌ No contract changes
Merkle proof verification correctness	❌ No contract changes
Domain ID validation	❌ No contract changes
ISM threshold and validator set security	❌ No contract changes
Warp route collateral accounting	❌ No contract changes

---

Verdict

Approved from a security perspective. This PR:

• Fixes the root cause of the jq error by removing dependency on pnpm changeset status
• Uses secure shell scripting practices
• Correctly configures Foundry v1.5.0+ for CI bytecode comparison

The rewritten script is more robust and should resolve the intermittent CI failures.

---

[yorhodes]

Rationale for Direct File Parsing

This PR parses .changeset/*.md files directly instead of using pnpm changeset status because the changeset CLI has a known issue with shallow clones in CI environments.

Related Issue: changesets/changesets#700

The CLI uses git merge-base internally to detect changed packages, which fails in shallow clones (like GitHub Actions with fetch-depth: 1). The error we were seeing:

Error: Failed to find where HEAD diverged from "main". Does "main" exist and it's synced with remote?

This issue has been open since December 2021 with no resolution. Multiple users have reported the same problem across different CI platforms (GitHub Actions, Azure DevOps, Bitbucket).

One commenter in the issue asked the same question we had:

"Can someone explain to me why does the status actually need to work with GIT at all. Shouldn't it just be checking the existence of MD files..."

Given this is a known limitation of the changesets CLI, parsing the files directly is a reasonable workaround that works reliably in all CI environments.

[claude]

Claude finished @yorhodes's task in 58s —— View job

---

Trail of Bits Security Analysis

• Review changed files for security vulnerabilities
• Analyze shell script for command injection and other issues
• Analyze Foundry configuration changes
• Provide security summary with severity ratings

---

Scope

This PR modifies CI infrastructure only - no smart contract code changes. The Trail of Bits security skills for Solidity analysis (/building-secure-contracts, /differential-review, /variant-analysis, /property-based-testing) are not applicable.

---

Security Findings

Severity: None (No Security Issues)

---

1. Shell Script Analysis (.github/scripts/check-solidity-changeset.sh)

The script has been completely rewritten to parse changeset files directly instead of using pnpm changeset status --output.

Security Check	Status	Details
Command injection via $REQUIRED_LEVEL	✅ Safe	Only used in case statement matching (line 24)
Command injection via $PACKAGE	✅ Safe	Hardcoded value @hyperlane-xyz/core (line 14)
Glob injection via .changeset/*.md	✅ Safe	Glob is static, not user-controlled
Error handling	✅ Present	set -euo pipefail at script start (line 11)
Grep regex injection	✅ Safe	$PACKAGE is hardcoded, not user input

Key Improvements:

• Removed dependency on pnpm changeset status which fails in shallow clones
• Removed temporary file creation/cleanup (no longer needed)
• Uses simple grep to search changeset files directly
• Checks bump levels in priority order (major > minor > patch)

Minor Note: The 2>/dev/null on grep commands is acceptable here as it suppresses errors when no .changeset/*.md files exist, which is a valid state (no changesets).

---

2. Foundry Configuration Analysis (solidity/foundry.toml)

Change: Added bytecode_hash = "none" to [profile.ci] section (line 22).

Check	Status
Scope limited to CI profile	✅ Yes - only affects CI builds, not production
Required for Foundry v1.5.0+	✅ Correct - cbor_metadata = false requires this
Security impact	✅ None - controls metadata embedding only

This is a configuration fix to make bytecode comparison work with newer Foundry versions. The setting only affects the CI profile and has no security implications.

---

3. Addressing Larry's Review Comment

Larry expressed uncertainty about whether this fixes the error in PR #7668 job.

Analysis: The #7668 job failed with:

jq: error: Could not open file .changeset-status-6150.json: No such file or directory

Root Cause: The OLD script used:

pnpm changeset status --output "$STATUS_FILE" 2>/dev/null || true
FOUND_LEVEL=$(jq -r ... "$STATUS_FILE")

This failed because:

1. pnpm changeset status uses git merge-base internally
2. In CI shallow clones, this fails to find where HEAD diverged from main
3. The || true suppressed the error but didn't create the output file
4. jq then failed trying to read a non-existent file

Does This PR Fix It?

Yes, definitively. The new approach:

1. Uses grep to search .changeset/*.md files directly
2. Parses the YAML frontmatter for package bump levels
3. Has zero dependency on git history or pnpm changeset status
4. Works reliably in all CI environments (shallow clones, full clones, etc.)

---

Hyperlane-Specific Security Concerns

Concern	Applicable
Reentrancy in message handling	❌ No contract changes
Access control on privileged functions	❌ No contract changes
Merkle proof verification correctness	❌ No contract changes
Domain ID validation	❌ No contract changes
ISM threshold and validator set security	❌ No contract changes
Warp route collateral accounting	❌ No contract changes

---

Verdict

Approved from a security perspective. This PR:

• Fixes the root cause of CI failures by removing dependency on pnpm changeset status
• Uses secure shell scripting practices with proper error handling
• Correctly configures Foundry v1.5.0+ for CI bytecode comparison
• The rewritten script is simpler and more robust

---

[claude]

Claude finished @yorhodes's task in 1m 5s —— View job

---

Trail of Bits Security Analysis

• Analyze PR context and changed files
• Review shell scripts for security vulnerabilities
• Review Foundry configuration changes
• Check CI status for any failures
• Provide final security assessment

---

Scope

This PR modifies CI infrastructure only - no smart contract code changes. The Trail of Bits smart contract security skills (/building-secure-contracts, /differential-review, /variant-analysis, /property-based-testing) are not applicable to this PR.

---

Security Findings

Severity: None (No Security Issues)

---

1. Shell Script Analysis

.github/scripts/check-solidity-changeset.sh

The script has been completely rewritten to parse changeset files directly instead of using pnpm changeset status --output.

Security Check	Status	Details
Command injection via $REQUIRED_LEVEL	✅ Safe	Only used in case statement (lines 27-29)
Command injection via $PACKAGE	✅ Safe	Hardcoded value @hyperlane-xyz/core (line 18)
Command injection via $BASE_REF	✅ Safe	Used with git diff --name-only which properly handles refs
Glob handling	✅ Safe	`2>/dev/null
xargs cat usage	✅ Safe	File list comes from git, not user input
Grep pattern with $PACKAGE	✅ Safe	Hardcoded value, not user-controlled
Error handling	✅ Present	set -euo pipefail at script start (line 14)

Key Improvements:

• Removed dependency on pnpm changeset status which fails in shallow clones
• Removed temporary file creation/cleanup (no longer needed)
• Uses git directly to find new changeset files relative to base ref

.github/scripts/check-diff-changeset.sh

Security Check	Status	Details
Directory validation	✅ Present	Checks [ -d "$BASE_DIR" ] and [ -d "$HEAD_DIR" ] (lines 23-30)
Command injection via dirs	✅ Safe	Used with diff --unified --recursive which handles paths properly
$SCRIPT_DIR resolution	✅ Safe	Uses ${BASH_SOURCE[0]} for reliable path resolution (line 32)
Error handling	✅ Present	set -euo pipefail at script start (line 10)

---

2. Foundry Configuration Analysis (solidity/foundry.toml)

Change: Added bytecode_hash = "none" to [profile.ci] section (line 22).

Check	Status
Scope limited to CI profile	✅ Yes - only affects CI builds, not production
Required for Foundry v1.5.0+	✅ Correct - cbor_metadata = false requires this
Security impact	✅ None - controls metadata embedding only

---

3. CI Status

Run	Status
codespell	✅ Passed
Lint PR	✅ Passed
Other checks	⏳ In progress

---

4. Response to Larry's Review Comment

Larry expressed uncertainty about whether this fixes the error in PR #7668 job.

Analysis: The #7668 job failed with:

jq: error: Could not open file .changeset-status-6150.json: No such file or directory

Root Cause: The OLD script used:

pnpm changeset status --output "$STATUS_FILE" 2>/dev/null || true
FOUND_LEVEL=$(jq -r ... "$STATUS_FILE")

This failed because:

1. pnpm changeset status uses git merge-base internally
2. In CI shallow clones, this fails to find where HEAD diverged from main
3. The || true suppressed the error but didn't create the output file
4. jq then failed trying to read a non-existent file

Does This PR Fix It?

Yes, definitively. The new approach:

1. Uses git diff --name-only --diff-filter=A "$BASE_REF" to find new changeset files
2. Parses the changeset content directly with grep
3. Has zero dependency on pnpm changeset status or jq
4. Works reliably in all CI environments (shallow clones, full clones, etc.)

---

Hyperlane-Specific Security Concerns

Concern	Applicable
Reentrancy in message handling	❌ No contract changes
Access control on privileged functions	❌ No contract changes
Merkle proof verification correctness	❌ No contract changes
Domain ID validation	❌ No contract changes
ISM threshold and validator set security	❌ No contract changes
Warp route collateral accounting	❌ No contract changes

---

Verdict

Approved from a security perspective. This PR:

• Fixes the root cause of CI failures by removing dependency on pnpm changeset status
• Uses secure shell scripting practices with proper error handling and input validation
• Correctly configures Foundry v1.5.0+ for CI bytecode comparison
• The rewritten script is simpler, more robust, and eliminates the shallow clone issue

---