diff --git a/.github/actions/install-risc0/action.yml b/.github/actions/install-risc0/action.yml deleted file mode 100644 index fef3a467..00000000 --- a/.github/actions/install-risc0/action.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: Install risc0 -description: Installs risc0 in the environment -runs: - using: "composite" - steps: - - name: Install risc0 - run: | - curl -L https://risczero.com/install | bash - /home/runner/.risc0/bin/rzup install - shell: bash diff --git a/.github/actions/install-system-deps/action.yml b/.github/actions/install-system-deps/action.yml deleted file mode 100644 index 28c4b41c..00000000 --- a/.github/actions/install-system-deps/action.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: Install system dependencies -description: Installs system dependencies in the environment -runs: - using: "composite" - steps: - - name: Install system dependencies - run: | - sudo apt-get update - sudo apt-get install -y build-essential clang libclang-dev libssl-dev pkg-config - shell: bash diff --git a/.github/actions/run-in-ci-image/action.yml b/.github/actions/run-in-ci-image/action.yml new file mode 100644 index 00000000..3fafe38c --- /dev/null +++ b/.github/actions/run-in-ci-image/action.yml @@ -0,0 +1,54 @@ +name: Run in CI image +description: > + Runs a command inside the CI image on a plain runner, for jobs that need the + host's Docker daemon. `container:` cannot work for those: it puts the + workspace on a path the host daemon cannot resolve, and it forbids + `--network host`. + +inputs: + image: + description: CI image reference, from the ci-image workflow's output. + required: true + run: + description: Command to run inside the image. + required: true + env: + description: Newline-separated NAME=VALUE pairs to pass into the container. + required: false + default: "" + +runs: + using: "composite" + steps: + - name: Run in CI image + shell: bash + env: + INPUT_IMAGE: ${{ inputs.image }} + INPUT_RUN: ${{ inputs.run }} + INPUT_ENV: ${{ inputs.env }} + run: | + set -euo pipefail + + env_args=() + while IFS= read -r pair; do + [[ -z "$pair" ]] && continue + env_args+=(--env "$pair") + done <<< "$INPUT_ENV" + + # Cargo's registry is the only part of CARGO_HOME worth sharing with the + # host: mounting all of it would shadow the tools baked into the image. + mkdir -p "$HOME/.cargo/registry" + + # Mounting the workspace on its own path is what makes this work. The + # daemon resolves compose bind mounts against the host, and the test + # binaries bake CARGO_MANIFEST_DIR in at compile time, so the path has + # to mean the same thing inside and outside the container. + docker run --rm \ + --network host \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + --volume "$PWD:$PWD" \ + --volume "$HOME/.cargo/registry:/usr/local/cargo/registry" \ + --workdir "$PWD" \ + "${env_args[@]}" \ + "$INPUT_IMAGE" \ + bash -e -o pipefail -c "$INPUT_RUN" diff --git a/.github/docker/ci.Dockerfile b/.github/docker/ci.Dockerfile new file mode 100644 index 00000000..a79be15f --- /dev/null +++ b/.github/docker/ci.Dockerfile @@ -0,0 +1,97 @@ +# Image behind the `container:` of the CI jobs. Everything the jobs used to +# install per-run is baked in here instead, so a CI run no longer asks the risc0 +# install servers for anything. +# +# The image tag is a hash of this file plus rust-toolchain.toml, so editing +# either rebuilds the image on the PR that changes it. See ci-image.yml. +# +# Keep the base tag in sync with rust-toolchain.toml. +FROM rust:1.94.0-trixie + +# GitHub sets HOME=/github/home inside container jobs, which hides anything we +# bake into the image's ~. rzup defaults to $HOME/.risc0, so pin it to a fixed +# path; RUSTUP_HOME and CARGO_HOME already point at /usr/local from the base +# image, and rzup honours all three. +ENV RISC0_HOME=/usr/local/risc0 +ENV PATH=/usr/local/risc0/bin:$PATH + +RUN apt-get update && apt-get install -y --no-install-recommends \ + build-essential \ + clang \ + libclang-dev \ + libssl-dev \ + pkg-config \ + curl \ + git \ + jq \ + python3-dev \ + && rm -rf /var/lib/apt/lists/* + +# The runner pre-creates the workspace as another uid, so git in a container job +# calls it dubious. checkout's own fix is --global, which only holds while HOME +# still points at the gitconfig it wrote; --system holds regardless. +RUN git config --system --add safe.directory '*' + +# The base image already has this toolchain at the minimal profile, so the +# `profile = "default"` in rust-toolchain.toml is a no-op here: rustup sees the +# toolchain as installed and never applies it. Add what the jobs need by hand. +COPY rust-toolchain.toml /tmp/toolchain/rust-toolchain.toml +RUN cd /tmp/toolchain \ + && rustup toolchain install \ + && rustup component add clippy rustfmt \ + && rm -rf /tmp/toolchain + +# For `cargo +nightly fmt` in the fmt-rs job. +RUN rustup toolchain install nightly --profile minimal --component rustfmt + +# The bootstrap script only ever drops rzup in $HOME/.risc0/bin, so run it +# against the build-time HOME and keep just the binary. rzup itself then honours +# RISC0_HOME and installs each component under /usr/local. +# +# Versions pinned to the set currently validated in local dev (`rzup show`); +# bare `rzup install` would float all four default components to latest. r0vm +# and cargo-risczero track each other and the risc0-zkvm crate version. +RUN curl -L https://risczero.com/install | bash \ + && mv /root/.risc0/bin/rzup /usr/local/bin/rzup \ + && rm -rf /root/.risc0 \ + && rzup install rust 1.94.1 \ + && rzup install cpp 2024.1.5 \ + && rzup install r0vm 3.0.5 \ + && rzup install cargo-risczero 3.0.5 + +# Copying docker. Static Go binaries, so the alpine-built ones run fine here. +COPY --from=docker:29.6.1-cli /usr/local/bin/docker /usr/local/bin/docker +COPY --from=docker:29.6.1-cli /usr/local/libexec/docker/cli-plugins/docker-compose \ + /usr/local/libexec/docker/cli-plugins/docker-compose +COPY --from=docker:29.6.1-cli /usr/local/libexec/docker/cli-plugins/docker-buildx \ + /usr/local/libexec/docker/cli-plugins/docker-buildx + +# Prebuilt binaries; compiling these from source would dominate the image build. +# Versions pinned so a rebuild of the same image ships the same tools. +ENV BINSTALL_VERSION=1.21.0 +RUN curl -L --proto '=https' --tlsv1.2 -sSf \ + https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash \ + && cargo binstall --no-confirm \ + cargo-nextest@0.9.140 \ + taplo-cli@0.10.0 \ + cargo-machete@0.9.2 \ + cargo-deny@0.20.2 \ + just@1.56.0 + +# Smoke-test every tool the jobs use. A bad install should fail here, not later +# in some CI job that reuses this cached image. pyo3's `auto-initialize` links +# libpython, and the base image ships python3 without it, so check the .so too. +RUN cargo --version \ + && cargo +nightly fmt --version \ + && cargo clippy --version \ + && ls /usr/lib/*/libpython3*.so \ + && r0vm --version \ + && cargo risczero --version \ + && cargo nextest --version \ + && taplo --version \ + && cargo machete --version \ + && cargo deny --version \ + && just --version \ + && docker --version \ + && docker compose version \ + && docker buildx version diff --git a/.github/workflows/bench-regression.yml b/.github/workflows/bench-regression.yml index d82c0f11..89c18e32 100644 --- a/.github/workflows/bench-regression.yml +++ b/.github/workflows/bench-regression.yml @@ -9,12 +9,25 @@ on: permissions: contents: read pull-requests: write + packages: read name: bench-regression jobs: + ci-image: + permissions: + contents: read + packages: write + uses: ./.github/workflows/ci-image.yml + crypto-primitives: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} timeout-minutes: 60 steps: - uses: actions/checkout@v5 @@ -24,13 +37,6 @@ jobs: # working tree, so we need the full history. fetch-depth: 0 - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install - - name: Run criterion-compare against base branch uses: boa-dev/criterion-compare-action@v3 with: diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml new file mode 100644 index 00000000..c93782de --- /dev/null +++ b/.github/workflows/ci-image.yml @@ -0,0 +1,75 @@ +name: CI image + +concurrency: + group: ci-image-${{ github.sha }} + cancel-in-progress: false + +# Resolves the CI image the calling workflow's jobs run in, building and pushing +# it only when it isn't published yet. +on: + workflow_call: + outputs: + image: + description: Image reference to pass to a job's `container:`. + value: ${{ jobs.ci-image.outputs.image }} + +jobs: + ci-image: + runs-on: ubuntu-latest + timeout-minutes: 60 + outputs: + image: ${{ steps.image-ref.outputs.image }} + steps: + - uses: actions/checkout@v5 + with: + ref: ${{ github.event.pull_request.head.sha || github.head_ref }} + + # Tagging by content hash means a PR that touches the Dockerfile or the + # toolchain builds and tests against its own image, while every other PR + # reuses the one already in the registry. + - name: Compute image reference + id: image-ref + run: | + repo="$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')" + tag="$(cat .github/docker/ci.Dockerfile rust-toolchain.toml | sha256sum | cut -c1-16)" + echo "image=ghcr.io/${repo}/ci:${tag}" >> "$GITHUB_OUTPUT" + echo "CI image: ghcr.io/${repo}/ci:${tag}" + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Check whether the image is already published + id: probe + run: | + if docker manifest inspect "${{ steps.image-ref.outputs.image }}" > /dev/null 2>&1; then + echo "exists=true" >> "$GITHUB_OUTPUT" + echo "Image already published, skipping build." + else + echo "exists=false" >> "$GITHUB_OUTPUT" + echo "Image not published yet, building it." + fi + + - name: Set up Docker Buildx + if: steps.probe.outputs.exists == 'false' + uses: docker/setup-buildx-action@v3 + + # A pull_request from a fork gets a read-only GITHUB_TOKEN, so this step + # fails there. It only runs when the fork changed the image, which is the + # case that needs a maintainer's eyes anyway. + - name: Build and push CI image + if: steps.probe.outputs.exists == 'false' + uses: docker/build-push-action@v5 + with: + context: . + file: ./.github/docker/ci.Dockerfile + push: true + tags: ${{ steps.image-ref.outputs.image }} + # Links the package to the repo, so it shows up there and inherits its + # access rules. + labels: org.opencontainers.image.source=https://github.com/${{ github.repository }} + cache-from: type=gha,scope=ci-image + cache-to: type=gha,mode=max,scope=ci-image diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 194646f3..ff9b4a8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,67 +15,91 @@ on: permissions: contents: read pull-requests: read + packages: read name: General jobs: + ci-image: + permissions: + contents: read + packages: write + uses: ./.github/workflows/ci-image.yml + fmt-rs: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - name: Install nightly toolchain for rustfmt - run: rustup install nightly --profile minimal --component rustfmt - - name: Check Rust files are formatted run: cargo +nightly fmt --check fmt-toml: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - name: Install taplo-cli - run: cargo install --locked taplo-cli - + # No path argument: taplo reads a `.` as a literal file, excludes it for + # not being a .toml, and checks nothing. - name: Check TOML files are formatted - run: taplo fmt --check . + run: taplo fmt --check machete: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - name: Install active toolchain - run: rustup install - - - name: Install cargo-machete - run: cargo install cargo-machete - - name: Check for unused dependencies run: cargo machete deny: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - name: Install cargo-deny - run: cargo install --locked cargo-deny - - name: Check licenses and advisories run: cargo deny check lint: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} timeout-minutes: 60 name: lint @@ -84,13 +108,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install - - name: Restore Rust cache uses: Swatinem/rust-cache@v2 with: @@ -108,36 +125,35 @@ jobs: run: cargo clippy -p "*program" -- -D warnings unit-tests: + needs: ci-image runs-on: ubuntu-latest + container: + image: ${{ needs.ci-image.outputs.image }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} timeout-minutes: 60 steps: - uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install - - name: Restore Rust cache uses: Swatinem/rust-cache@v2 with: shared-key: ci-rust-cache save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }} - - name: Install nextest - run: cargo install --locked cargo-nextest - - name: Run tests env: RISC0_DEV_MODE: "1" RUST_LOG: "info" run: cargo nextest run --workspace --exclude integration_tests --exclude test_fixtures --all-features + # Not a `container:` job: the tests drive the host's Docker daemon through + # testcontainers, so they run in the CI image via `run-in-ci-image` instead. test-fixtures-tests: + needs: ci-image runs-on: ubuntu-latest timeout-minutes: 60 steps: @@ -145,12 +161,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Restore Rust cache uses: Swatinem/rust-cache@v2 @@ -158,16 +174,20 @@ jobs: shared-key: ci-rust-cache save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }} - - name: Install nextest - run: cargo install --locked cargo-nextest - - name: Run test_fixtures tests - env: - RISC0_DEV_MODE: "1" - RUST_LOG: "info" - run: cargo nextest run -p test_fixtures + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + env: | + RISC0_DEV_MODE=1 + RUST_LOG=info + run: cargo nextest run -p test_fixtures + # Not a `container:` job: the test binaries bake CARGO_MANIFEST_DIR in at + # compile time, so the archive has to be built on the same path the matrix + # jobs later run it from. integration-tests-prebuild: + needs: ci-image runs-on: ubuntu-latest outputs: targets: ${{ steps.discover-targets.outputs.targets }} @@ -176,12 +196,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Restore Rust cache uses: Swatinem/rust-cache@v2 @@ -189,13 +209,12 @@ jobs: shared-key: ci-rust-cache save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }} - - name: Install nextest - run: cargo install --locked cargo-nextest - - name: Build integration test archive - env: - RISC0_DEV_MODE: "1" - run: cargo nextest archive -p integration_tests --archive-file integration-tests.tar.zst --no-pager + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + env: RISC0_DEV_MODE=1 + run: cargo nextest archive -p integration_tests --archive-file integration-tests.tar.zst --no-pager - name: Upload integration test archive uses: actions/upload-artifact@v4 @@ -203,15 +222,22 @@ jobs: name: integration-tests-archive path: integration-tests.tar.zst + - name: List integration test binaries + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + run: | + cargo nextest list \ + --archive-file integration-tests.tar.zst \ + --list-type binaries-only \ + --message-format json \ + --no-pager > integration-tests-binaries.json + + # $GITHUB_OUTPUT is outside the mounted workspace, so the container cannot + # write to it. jq is on the runner, so do this pass here. - name: Discover integration test targets from archive id: discover-targets run: | - cargo nextest list \ - --archive-file integration-tests.tar.zst \ - --list-type binaries-only \ - --message-format json \ - --no-pager > integration-tests-binaries.json - targets_json="$(jq -c '[."rust-binaries" | to_entries[] | select(.value.kind == "test" and .value."binary-name" != "tps") | .value."binary-name"] | sort | unique' integration-tests-binaries.json)" if [[ "$targets_json" == "[]" ]]; then @@ -223,7 +249,7 @@ jobs: echo "Discovered integration targets: $targets_json" integration-tests: - needs: [test-fixtures-tests, integration-tests-prebuild] + needs: [ci-image, test-fixtures-tests, integration-tests-prebuild] runs-on: ubuntu-latest timeout-minutes: 90 strategy: @@ -236,28 +262,29 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Download integration test archive uses: actions/download-artifact@v4 with: name: integration-tests-archive - - name: Install nextest - run: cargo install --locked cargo-nextest - - name: Run tests - env: - RISC0_DEV_MODE: "1" - RUST_LOG: "info" - run: cargo nextest run --archive-file integration-tests.tar.zst -E "binary(${{ matrix.target }})" + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + env: | + RISC0_DEV_MODE=1 + RUST_LOG=info + run: cargo nextest run --archive-file integration-tests.tar.zst -E "binary(${{ matrix.target }})" valid-proof-test: + needs: ci-image runs-on: ubuntu-latest timeout-minutes: 90 steps: @@ -265,12 +292,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-system-deps - - - uses: ./.github/actions/install-risc0 - - - name: Install active toolchain - run: rustup install + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Restore Rust cache uses: Swatinem/rust-cache@v2 @@ -279,11 +306,16 @@ jobs: save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }} - name: Test valid proof - env: - RUST_LOG: "info" - run: cargo test -p integration_tests -- --exact private::private_transfer_to_owned_account + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + env: RUST_LOG=info + run: cargo test -p integration_tests -- --exact private::private_transfer_to_owned_account + # `just build-artifacts` drives the host's Docker daemon via `cargo risczero + # build`, so it goes through the image rather than `container:`. artifacts: + needs: ci-image runs-on: ubuntu-latest timeout-minutes: 60 @@ -293,7 +325,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.head_ref }} - - uses: ./.github/actions/install-risc0 + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Restore Rust cache uses: Swatinem/rust-cache@v2 @@ -301,11 +338,11 @@ jobs: shared-key: ci-rust-cache save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }} - - name: Install just - run: cargo install --locked just - - name: Build artifacts - run: just build-artifacts + uses: ./.github/actions/run-in-ci-image + with: + image: ${{ needs.ci-image.outputs.image }} + run: just build-artifacts - name: Check if artifacts match repository run: |