Problem
Every workflow uses `foundry-rs/foundry-toolchain@v1` without specifying a version, which installs Foundry nightly by default. This makes builds non-reproducible — yesterday's green PR can fail today on a nightly drift, with no way for the consumer to opt out.
Proposal
- Add a `foundry-version` input to each reusable workflow (`_ci.yml`, `_upgrade-safety.yml`, `_deploy-testnet.yml`, `_foundry-cicd.yml`).
- Default to `'stable'` (foundry-toolchain's stable channel — pinned to the latest stable Foundry release).
- Pass through to the `foundry-toolchain` action as the `version` input.
- Document in README that consumers wanting full reproducibility can pin to a specific tag like `'v1.0.0'`.
Related — out of scope here
- Pinning Halmos (`pip install halmos` is unversioned).
- Exposing the OZ `upgrades-core` version (currently hard-coded as `OZ_UPGRADES_CORE_VERSION` in `scripts/upgrade-safety/validate.sh`).
Both can be follow-ups.
Problem
Every workflow uses `foundry-rs/foundry-toolchain@v1` without specifying a version, which installs Foundry nightly by default. This makes builds non-reproducible — yesterday's green PR can fail today on a nightly drift, with no way for the consumer to opt out.
Proposal
Related — out of scope here
Both can be follow-ups.