From ed8b236cc8e4c9d290e204fe29327653c9090428 Mon Sep 17 00:00:00 2001 From: jhfnetboy Date: Mon, 1 Jun 2026 22:59:57 +0700 Subject: [PATCH 1/2] ci(security): scope EIP-170 gate to deployable contracts (skip test/script) Stage 1's `forge build --sizes` exits non-zero if ANY built contract exceeds 24576 bytes, including test-only helpers. SuperPaymasterV2Reinit (a thin SuperPaymaster subclass in SupplementaryLifecycle.t.sol, used purely for UUPS reinitializer testing and never deployed) is ~25.6 KB and was tripping the gate, even though the real deployable SuperPaymaster is 24,159 B (under the limit). Add --skip "*.t.sol" --skip "*.s.sol" so the gate enforces EIP-170 on exactly the contracts we deploy. --- .github/workflows/security.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 7638aae5..113ff584 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -22,11 +22,13 @@ jobs: run: npm install -g solhint - name: Solhint run: solhint 'contracts/src/**/*.sol' || true # report-only until ruleset tuned - - name: Build + EIP-170 size - run: | - forge build --sizes - # Fail if SuperPaymaster exceeds the 24576-byte limit - forge build --sizes | awk '/SuperPaymaster /{ if ($0 ~ /[0-9]/) print }' + - name: Build + EIP-170 size (deployable contracts only) + # --sizes exits non-zero if ANY built contract exceeds the 24576-byte EIP-170 + # limit. Scope the build to deployable src by skipping test/script files, so the + # gate enforces the limit on contracts we actually deploy — and is not tripped by + # test-only helpers (e.g. SuperPaymasterV2Reinit, a thin SuperPaymaster subclass + # used purely for UUPS reinitializer testing) that are never deployed. + run: forge build --sizes --skip "*.t.sol" --skip "*.s.sol" test: name: Stage 2 — forge test + fuzz From 4ca4cef6b5a5f4f6af7735c7021f810cddaff5cb Mon Sep 17 00:00:00 2001 From: jhfnetboy Date: Mon, 1 Jun 2026 23:06:26 +0700 Subject: [PATCH 2/2] ci(security): use documented --skip test/script aliases (Codex review) Codex flagged the previous `--skip "*.t.sol" --skip "*.s.sol"` as undocumented glob strings. Switch to forge's documented aliases: `forge build --help` states 'test and script are aliases for .t.sol and .s.sol'. Same effect (skip test/script so the EIP-170 gate only checks deployable contracts), but on the officially-supported flag form. --- .github/workflows/security.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 113ff584..b6a228b1 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -23,12 +23,13 @@ jobs: - name: Solhint run: solhint 'contracts/src/**/*.sol' || true # report-only until ruleset tuned - name: Build + EIP-170 size (deployable contracts only) - # --sizes exits non-zero if ANY built contract exceeds the 24576-byte EIP-170 - # limit. Scope the build to deployable src by skipping test/script files, so the - # gate enforces the limit on contracts we actually deploy — and is not tripped by - # test-only helpers (e.g. SuperPaymasterV2Reinit, a thin SuperPaymaster subclass - # used purely for UUPS reinitializer testing) that are never deployed. - run: forge build --sizes --skip "*.t.sol" --skip "*.s.sol" + # `forge build --sizes` exits non-zero if ANY built contract exceeds the 24576-byte + # EIP-170 limit. `test` and `script` are forge's documented --skip aliases for + # `.t.sol` / `.s.sol` (see `forge build --help`), so this scopes the gate to the + # contracts we actually deploy and is not tripped by test-only helpers — e.g. + # SuperPaymasterV2Reinit, a thin SuperPaymaster subclass used purely for UUPS + # reinitializer testing that is never deployed. + run: forge build --sizes --skip test --skip script test: name: Stage 2 — forge test + fuzz