bump flow-core-contracts to v1.10.3

[vishalchangrani]

Summary

• Bumps github.com/onflow/flow-core-contracts/lib/go/contracts and lib/go/templates from v1.10.2 to v1.10.3

What is in v1.10.3

• Port internal fixes by @SupunS
• Fix wildcard import by @turbolent

Test plan

• CI passes

Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated core contract library dependencies from v1.10.2 to v1.10.3 across project module manifests (root and environment-specific).

• Tests

  • Adjusted unit and bootstrap test expectations and genesis-state test constants to reflect updated baseline values.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/onflow/flow-core-contracts/lib/go/contracts	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/flow-core-contracts/lib/go/templates	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/flow-core-contracts/lib/go/contracts	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/flow-core-contracts/lib/go/templates	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/flow-core-contracts/lib/go/contracts	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/flow-core-contracts/lib/go/templates	1.10.3	🟢 6	Details Check Score Reason Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• go.mod
• insecure/go.mod
• integration/go.mod

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 507b435d-3d4e-4667-88be-1df2ed8a6bd7

📥 Commits

Reviewing files that changed from the base of the PR and between 83d3dd5 and 44657bd.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• insecure/go.sum is excluded by !**/*.sum
• integration/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• engine/execution/state/bootstrap/bootstrap_test.go
• utils/unittest/execution_state.go

✅ Files skipped from review due to trivial changes (1)

• engine/execution/state/bootstrap/bootstrap_test.go

---

📝 Walkthrough

Walkthrough

Bumps Flow Core Contracts Go submodules contracts and templates from v1.10.2 → v1.10.3 across module files and updates hardcoded genesis/state commitment hex constants and expected values in unit/bootstrap tests.

Changes

Flow Core Contracts dependency bump & test state updates

Layer / File(s)	Summary
Bump contracts and templates to v1.10.3 go.mod, insecure/go.mod, integration/go.mod	Updated github.com/onflow/flow-core-contracts/lib/go/contracts and .../templates versions from v1.10.2 → v1.10.3.
Update genesis state commitment constants utils/unittest/execution_state.go	Replaced exported GenesisStateCommitmentHex and adjusted genesisCommitHexByChainID return values for flow.Testnet and flow.Sandboxnet.
Update expected state commitments in bootstrap tests engine/execution/state/bootstrap/bootstrap_test.go	Replaced expected state commitment hex strings in TestBootstrapLedger_ZeroTokenSupply and TestBootstrapLedger_EmptyTransaction.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• onflow/flow-go#8541: Bumped flow-core-contracts to v1.10.3 with matching test/hash updates.
• onflow/flow-go#8415: Earlier bump of the same modules and adjustment of genesis/state commitment expectations.

Suggested reviewers

• SupunS
• zhangchiqing
• turbolent

Poem

🐰 I hop through modules, small and spry,
Two versions nudged beneath the sky,
Commitments updated, tests align,
A gentle bump, a tidy sign,
Builds hum softly — code carrots shine.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping flow-core-contracts dependencies from v1.10.2 to v1.10.3 across multiple go.mod files and updating related state commitments.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bump/flow-core-contracts-v1.10.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[turbolent]

Needs go mod tidy

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
utils/unittest/execution_state.go	0.00%	3 Missing ⚠️

📢 Thoughts on this report? Let us know!

[vishalchangrani]

updated as core contracts have changed.