Merge c5ebee4d847e0f50b152007ad41a72677c87f926 into 390f4b48d982511883eec8628a9742976f8de8d3

This commit is contained in:
Ricardo Guilherme Schmidt 2026-07-16 18:48:27 +04:00 committed by GitHub
commit 148ae03a24
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 2491 additions and 157 deletions

View File

@ -1,10 +1,74 @@
name: Install risc0
description: Installs risc0 in the environment
description: Installs pinned RISC Zero components in the environment
inputs:
profile:
description: Components to install (build or runtime)
required: false
default: build
save-cache:
description: Save a missing cache from a trusted branch
required: false
default: "false"
runs:
using: "composite"
steps:
- name: Install risc0
- name: Restore RISC Zero components
id: restore-risc0
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.risc0
key: risc0-${{ runner.os }}-${{ runner.arch }}-${{ inputs.profile }}-rzup-0.5.0-r0vm-3.0.5-rust-1.94.1-cargo-risczero-3.0.5
- name: Install pinned RISC Zero components
env:
GITHUB_TOKEN: ${{ github.token }}
RISC0_PROFILE: ${{ inputs.profile }}
run: |
curl -L https://risczero.com/install | bash
/home/runner/.risc0/bin/rzup install
# Avoid mutable installer defaults: verify rzup itself, then select
# only the exact components required by this workflow profile.
risc0_home="${RISC0_HOME:-$HOME/.risc0}"
mkdir -p "$risc0_home/bin"
rzup="$risc0_home/bin/rzup"
rzup_sha256="7cdc1dd5d4b8ef38ea6170c45bd29ba65d389f0e96b365da61631d1fc5c6c1ca"
if ! echo "$rzup_sha256 $rzup" | sha256sum --check --status; then
rzup_download="$(mktemp)"
trap 'rm -f "$rzup_download"' EXIT
curl --proto '=https' --tlsv1.2 -fsSL \
https://risc0-artifacts.s3.us-west-2.amazonaws.com/rzup/prod/Linux-X64/rzup \
-o "$rzup_download"
echo "$rzup_sha256 $rzup_download" | sha256sum --check
install -m 0755 "$rzup_download" "$rzup"
fi
echo "$risc0_home/bin" >> "$GITHUB_PATH"
test "$("$rzup" --version)" = "rzup 0.5.0"
case "$RISC0_PROFILE" in
build)
"$rzup" install r0vm 3.0.5
"$rzup" install rust 1.94.1
"$rzup" install cargo-risczero 3.0.5
;;
runtime)
"$rzup" install r0vm 3.0.5
;;
*)
echo "Unsupported RISC Zero profile: $RISC0_PROFILE" >&2
exit 2
;;
esac
"$rzup" show
shell: bash
- name: Save RISC Zero components
if: >-
steps.restore-risc0.outputs.cache-hit != 'true' &&
inputs.save-cache == 'true' &&
github.event_name == 'push' &&
(github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.risc0
key: risc0-${{ runner.os }}-${{ runner.arch }}-${{ inputs.profile }}-rzup-0.5.0-r0vm-3.0.5-rust-1.94.1-cargo-risczero-3.0.5

View File

@ -0,0 +1,18 @@
name: Restore RISC Zero runtime
description: Restores the producer's pinned r0vm binary
runs:
using: composite
steps:
- name: Download RISC Zero runtime
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: risc0-runtime-3.0.5
path: ${{ runner.temp }}/risc0-runtime
- name: Install RISC Zero runtime
run: |
mkdir -p "$HOME/.cargo/bin"
mv "$RUNNER_TEMP/risc0-runtime/r0vm" "$HOME/.cargo/bin/r0vm"
chmod 0755 "$HOME/.cargo/bin/r0vm"
test "$(r0vm --version)" = "risc0-r0vm 3.0.5"
shell: bash

View File

@ -0,0 +1 @@
node_modules/

1892
.github/scripts/artifact-client/package-lock.json generated vendored Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,11 @@
{
"name": "logos-execution-zone-ci-artifact-client",
"private": true,
"type": "module",
"engines": {
"node": ">=24"
},
"dependencies": {
"@actions/artifact": "6.2.1"
}
}

View File

@ -0,0 +1,132 @@
import {
appendFile,
lstat,
readFile,
realpath,
rm,
statfs,
writeFile,
} from "node:fs/promises";
import { basename, dirname, join, resolve } from "node:path";
import { DefaultArtifactClient } from "@actions/artifact";
const GIB = 1024 ** 3;
const MIB = 1024 ** 2;
function humanSize(size) {
if (size >= GIB) return `${(size / GIB).toFixed(2)} GiB`;
return `${(size / MIB).toFixed(2)} MiB`;
}
export async function buildAndUploadIntegrationTargets({ core, exec }) {
const artifactDirectory = await realpath(
resolve(process.env.INTEGRATION_ARTIFACT_DIR ?? ""),
);
const manifest = resolve(process.env.INTEGRATION_ARTIFACT_MANIFEST ?? "");
const targetsPath = resolve(process.env.INTEGRATION_TARGETS_FILE ?? "");
if (dirname(manifest) !== artifactDirectory) {
throw new Error(`integration manifest is outside staging: ${manifest}`);
}
if (dirname(targetsPath) !== artifactDirectory) {
throw new Error(`integration target list is outside staging: ${targetsPath}`);
}
await writeFile(manifest, "");
const targets = (await readFile(targetsPath, "utf8"))
.split("\n")
.filter(Boolean);
if (targets.length === 0 || targets.length > 64) {
throw new Error(`invalid integration target count: ${targets.length}`);
}
const artifact = new DefaultArtifactClient();
let totalArchiveSize = 0;
for (const target of targets) {
if (!/^[a-z0-9_]+$/.test(target)) {
throw new Error(`invalid integration target: ${target}`);
}
const artifactName = `integration-test-${target}.tar.zst`;
const archive = join(artifactDirectory, artifactName);
try {
const exitCode = await exec.exec("cargo", [
"nextest",
"archive",
"-p",
"integration_tests",
"--test",
target,
"-E",
`binary(=${target})`,
"--archive-file",
archive,
"--no-pager",
]);
if (exitCode !== 0) {
throw new Error(`nextest archive failed for ${target}`);
}
const archiveStat = await lstat(archive);
if (!archiveStat.isFile()) {
throw new Error(`integration artifact is not a file: ${archive}`);
}
if (archiveStat.size > 128 * MIB) {
throw new Error(`${target} archive exceeds the 128 MiB limit`);
}
totalArchiveSize += archiveStat.size;
if (totalArchiveSize > 4 * GIB) {
throw new Error("integration archives exceed the 4 GiB total limit");
}
await appendFile(
process.env.GITHUB_STEP_SUMMARY,
`| \`${target}\` | ${humanSize(archiveStat.size)} |\n`,
);
const { artifacts } = await artifact.listArtifacts({ latest: true });
if (artifacts.some(({ name }) => name === artifactName)) {
await artifact.deleteArtifact(artifactName);
}
const { digest, id } = await artifact.uploadArtifact(
artifactName,
[archive],
artifactDirectory,
{
retentionDays: 1,
skipArchive: true,
},
);
if (!digest || !id) {
throw new Error(`upload returned incomplete metadata: ${artifactName}`);
}
await appendFile(
manifest,
`${JSON.stringify({
archive: artifactName,
artifact_id: id,
target,
})}\n`,
);
core.info(`Uploaded ${artifactName} (artifact ${id}, digest ${digest}).`);
} finally {
await rm(archive, { force: true });
}
const disk = await statfs(artifactDirectory);
if (disk.bavail * disk.bsize < 6 * GIB) {
throw new Error("less than 6 GiB remains while building archives");
}
}
await appendFile(
process.env.GITHUB_STEP_SUMMARY,
`\nBuilt ${targets.length} integration targets exactly once.\n`,
);
}

View File

@ -2,8 +2,8 @@ on:
pull_request:
paths:
- "tools/crypto_primitives_bench/**"
- "lez/key_protocol/**"
- "lee/core/**"
- "lee/key_protocol/**"
- "lee/state_machine/core/**"
- ".github/workflows/bench-regression.yml"
permissions:
@ -12,27 +12,31 @@ permissions:
name: bench-regression
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
CARGO_INCREMENTAL: "0"
jobs:
crypto-primitives:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
# criterion-compare-action checks out the base branch in a second
# working tree, so we need the full history.
fetch-depth: 0
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
run: rustup install --profile minimal
- name: Run criterion-compare against base branch
uses: boa-dev/criterion-compare-action@v3
uses: boa-dev/criterion-compare-action@adfd3a94634fe2041ce5613eb7df09d247555b87 # v3.2.4
with:
branchName: ${{ github.base_ref }}
cwd: tools/crypto_primitives_bench

View File

@ -1,3 +1,5 @@
name: General
on:
push:
branches:
@ -14,49 +16,55 @@ on:
permissions:
contents: read
pull-requests: read
name: General
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
CARGO_INCREMENTAL: "0"
CARGO_PROFILE_TEST_DEBUG: "0"
NEXTEST_VERSION: "0.9.140"
jobs:
fmt-rs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install nightly toolchain for rustfmt
run: rustup install nightly --profile minimal --component rustfmt
run: rustup install nightly-2026-04-14 --profile minimal --component rustfmt
- name: Check Rust files are formatted
run: cargo +nightly fmt --check
run: cargo +nightly-2026-04-14 fmt --check
fmt-toml:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install taplo-cli
run: cargo install --locked taplo-cli
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: taplo-cli@0.10.0
fallback: none
- name: Check TOML files are formatted
run: taplo fmt --check .
run: taplo fmt --check
machete:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install active toolchain
run: rustup install
run: rustup install --profile minimal
- name: Install cargo-machete
run: cargo install cargo-machete
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: cargo-machete@0.9.2
fallback: none
- name: Check for unused dependencies
run: cargo machete
@ -64,12 +72,13 @@ jobs:
deny:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install cargo-deny
run: cargo install --locked cargo-deny
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: cargo-deny@0.20.2
fallback: none
- name: Check licenses and advisories
run: cargo deny check
@ -77,25 +86,20 @@ jobs:
lint:
runs-on: ubuntu-latest
timeout-minutes: 60
name: lint
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
run: rustup install --profile minimal --component clippy
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
shared-key: ci-rust-cache
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
cache-bin: false
save-if: false
- name: Lint workspace
env:
@ -107,202 +111,410 @@ jobs:
RISC0_SKIP_BUILD: "1"
run: cargo clippy -p "*program" -- -D warnings
- name: Check rustdoc links
env:
RISC0_SKIP_BUILD: "1"
RUSTDOCFLAGS: -D warnings
run: |
# Guest packages generate colliding output names, so document them
# separately below with isolated target directories.
cargo doc \
--workspace \
--all-features \
--no-deps \
--exclude test_program_guests \
--exclude test_methods_guests
for package in test_program_guests test_methods_guests; do
cargo doc \
-p "$package" \
--all-features \
--no-deps \
--target-dir "$RUNNER_TEMP/rustdoc-$package"
done
unit-tests:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/install-system-deps
- name: Install active toolchain
run: rustup install --profile minimal
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
shared-key: ci-rust-cache
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
cache-bin: false
save-if: false
- name: Install nextest
run: cargo install --locked cargo-nextest
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: nextest@${{ env.NEXTEST_VERSION }}
fallback: none
- name: Run tests
env:
RISC0_DEV_MODE: "1"
RUST_LOG: "info"
RUST_LOG: info
run: cargo nextest run --workspace --exclude integration_tests --exclude test_fixtures --all-features
test-fixtures-tests:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
run: rustup install --profile minimal
- uses: ./.github/actions/install-risc0
with:
profile: runtime
save-cache: "true"
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
shared-key: ci-rust-cache
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
cache-bin: false
save-if: false
- name: Install nextest
run: cargo install --locked cargo-nextest
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: nextest@${{ env.NEXTEST_VERSION }}
fallback: none
- name: Run test_fixtures tests
env:
RISC0_DEV_MODE: "1"
RUST_LOG: "info"
RUST_LOG: info
run: cargo nextest run -p test_fixtures
integration-tests-prebuild:
runs-on: ubuntu-latest
integration-tests-prepare:
runs-on: ubuntu-24.04
timeout-minutes: 60
outputs:
targets: ${{ steps.discover-targets.outputs.targets }}
integration-matrix: ${{ steps.publish-matrix.outputs.integration-matrix }}
auth-transfer-artifact-id: ${{ steps.publish-matrix.outputs.auth-transfer-artifact-id }}
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
run: rustup install --profile minimal
- uses: ./.github/actions/install-risc0
with:
save-cache: "true"
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
shared-key: ci-rust-cache
cache-bin: false
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
- name: Install nextest
run: cargo install --locked cargo-nextest
- name: Build integration test archive
env:
RISC0_DEV_MODE: "1"
run: cargo nextest archive -p integration_tests --archive-file integration-tests.tar.zst --no-pager
- name: Upload integration test archive
uses: actions/upload-artifact@v4
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
name: integration-tests-archive
path: integration-tests.tar.zst
tool: nextest@${{ env.NEXTEST_VERSION }}
fallback: none
- name: Discover integration test targets from archive
id: discover-targets
- name: Discover integration test targets
run: |
cargo nextest list \
--archive-file integration-tests.tar.zst \
--list-type binaries-only \
--message-format json \
--no-pager > integration-tests-binaries.json
target_dir="$RUNNER_TEMP/integration-test-targets"
mkdir -p "$target_dir"
targets_json="$(jq -c '[."rust-binaries" | to_entries[] | select(.value.kind == "test" and .value."binary-name" != "tps") | .value."binary-name"] | sort | unique' integration-tests-binaries.json)"
cargo metadata \
--no-deps \
--format-version 1 > "$target_dir/metadata.json"
if [[ "$targets_json" == "[]" ]]; then
echo "No integration test targets were discovered." >&2
jq -r '
[.packages[]
| select(.name == "integration_tests")
| .targets[]
| select(.kind | index("test"))
| select(.name != "tps")
| .name]
| sort
| unique[]
' "$target_dir/metadata.json" > "$target_dir/discovered.targets"
if [[ ! -s "$target_dir/discovered.targets" ]]; then
echo "No non-tps integration test targets were discovered." >&2
exit 1
fi
echo "targets=$targets_json" >> "$GITHUB_OUTPUT"
echo "Discovered integration targets: $targets_json"
target_count="$(wc -l < "$target_dir/discovered.targets")"
if (( target_count > 64 )); then
echo "More than 64 integration targets were discovered." >&2
exit 1
fi
{
echo "### Integration target archives"
echo
echo "| Target | Archive size |"
echo "| --- | ---: |"
} >> "$GITHUB_STEP_SUMMARY"
- name: Install Node.js for workflow artifact client
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
- name: Install workflow artifact client
run: |
npm ci \
--prefix .github/scripts/artifact-client \
--ignore-scripts \
--omit=dev \
--no-audit \
--no-fund
- name: Build and upload integration test targets
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
ARTIFACT_CLIENT_SCRIPT: ${{ github.workspace }}/.github/scripts/artifact-client/upload.mjs
INTEGRATION_ARTIFACT_DIR: ${{ runner.temp }}/integration-test-targets
INTEGRATION_ARTIFACT_MANIFEST: ${{ runner.temp }}/integration-test-targets/uploaded.jsonl
INTEGRATION_TARGETS_FILE: ${{ runner.temp }}/integration-test-targets/discovered.targets
RISC0_DEV_MODE: "1"
with:
script: |
const { pathToFileURL } = await import("node:url")
const artifactClient = await import(
pathToFileURL(process.env.ARTIFACT_CLIENT_SCRIPT)
)
await artifactClient.buildAndUploadIntegrationTargets({ core, exec })
- name: Publish integration test matrix
id: publish-matrix
run: |
target_dir="$RUNNER_TEMP/integration-test-targets"
jq -r .target "$target_dir/uploaded.jsonl" \
| sort > "$target_dir/uploaded.targets"
if ! diff -u \
"$target_dir/discovered.targets" \
"$target_dir/uploaded.targets"; then
echo "Every discovered integration target must be uploaded exactly once." >&2
exit 1
fi
integration_matrix="$(jq -s -c '{include: .}' \
"$target_dir/uploaded.jsonl")"
auth_transfer_artifact_id="$(jq -r \
'select(.target == "auth_transfer") | .artifact_id' \
"$target_dir/uploaded.jsonl")"
if [[ ! "$auth_transfer_artifact_id" =~ ^[0-9]+$ ]]; then
echo "The auth_transfer artifact ID is missing or invalid." >&2
exit 1
fi
echo "integration-matrix=$integration_matrix" >> "$GITHUB_OUTPUT"
echo "auth-transfer-artifact-id=$auth_transfer_artifact_id" \
>> "$GITHUB_OUTPUT"
- name: Release artifact client and target metadata disk
if: always()
run: |
rm -rf .github/scripts/artifact-client/node_modules
rm -rf "$RUNNER_TEMP/integration-test-targets"
- name: Stage RISC Zero runtime
run: |
mkdir -p "$RUNNER_TEMP/risc0-runtime"
install -m 0755 "$(command -v r0vm)" "$RUNNER_TEMP/risc0-runtime/r0vm"
- name: Upload RISC Zero runtime
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: risc0-runtime-3.0.5
path: ${{ runner.temp }}/risc0-runtime/r0vm
compression-level: 6
retention-days: 1
if-no-files-found: error
overwrite: true
- name: Release staged RISC Zero runtime disk
if: always()
run: rm -f "$RUNNER_TEMP/risc0-runtime/r0vm"
integration-tests:
needs: [test-fixtures-tests, integration-tests-prebuild]
runs-on: ubuntu-latest
needs:
- test-fixtures-tests
- integration-tests-prepare
runs-on: ubuntu-24.04
timeout-minutes: 90
strategy:
fail-fast: false
matrix:
target: ${{ fromJson(needs.integration-tests-prebuild.outputs.targets) }}
max-parallel: 30
matrix: ${{ fromJSON(needs.integration-tests-prepare.outputs.integration-matrix) }}
name: integration-tests (${{ matrix.target }})
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
- name: Download integration test archive
uses: actions/download-artifact@v4
with:
name: integration-tests-archive
- uses: ./.github/actions/restore-risc0-runtime
- name: Install nextest
run: cargo install --locked cargo-nextest
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: nextest@${{ env.NEXTEST_VERSION }}
fallback: none
- name: Run tests
- name: Download integration test archive
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
artifact-ids: ${{ matrix.artifact_id }}
path: ${{ runner.temp }}/integration-test-target
skip-decompress: true
- name: Run integration test target
env:
ARCHIVE_NAME: ${{ matrix.archive }}
RISC0_DEV_MODE: "1"
RUST_LOG: "info"
run: cargo nextest run --archive-file integration-tests.tar.zst -E "binary(${{ matrix.target }})"
RUST_LOG: info
TARGET: ${{ matrix.target }}
run: |
if [[ ! "$TARGET" =~ ^[a-z0-9_]+$ ]]; then
echo "Invalid integration test target: $TARGET" >&2
exit 2
fi
expected_archive="integration-test-$TARGET.tar.zst"
if [[ "$ARCHIVE_NAME" != "$expected_archive" ]]; then
echo "Archive $ARCHIVE_NAME does not match target $TARGET." >&2
exit 2
fi
archive="$RUNNER_TEMP/integration-test-target/$ARCHIVE_NAME"
extract_dir="$RUNNER_TEMP/nextest-target"
echo "::group::Archive and disk usage before extraction"
du -h "$archive"
df -h "$RUNNER_TEMP"
echo "::endgroup::"
mkdir -p "$extract_dir"
cargo-nextest nextest list \
--archive-file "$archive" \
--extract-to "$extract_dir" \
--workspace-remap "$GITHUB_WORKSPACE" \
--list-type binaries-only \
--message-format json \
--no-pager > /dev/null
rm -f "$archive"
echo "::group::Disk usage after extraction"
du -sh "$extract_dir"
df -h "$RUNNER_TEMP"
echo "::endgroup::"
available_kib="$(df --output=avail -k "$RUNNER_TEMP" | tail -n 1 | tr -d ' ')"
minimum_free_kib=$((6 * 1024 * 1024))
if (( available_kib < minimum_free_kib )); then
echo "Less than 6 GiB remains after target extraction." >&2
df -h "$RUNNER_TEMP" >&2
exit 1
fi
cargo-nextest nextest run \
--cargo-metadata "$extract_dir/target/nextest/cargo-metadata.json" \
--binaries-metadata "$extract_dir/target/nextest/binaries-metadata.json" \
--target-dir-remap "$extract_dir/target" \
--workspace-remap "$GITHUB_WORKSPACE" \
--show-progress none \
--success-output immediate \
--status-level all \
--final-status-level all \
--no-output-indent \
-E "binary(=$TARGET)"
valid-proof-test:
runs-on: ubuntu-latest
needs: integration-tests-prepare
runs-on: ubuntu-24.04
timeout-minutes: 90
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: ./.github/actions/restore-risc0-runtime
- name: Install nextest
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
tool: nextest@${{ env.NEXTEST_VERSION }}
fallback: none
- uses: ./.github/actions/install-system-deps
- uses: ./.github/actions/install-risc0
- name: Install active toolchain
run: rustup install
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
- name: Download auth_transfer integration test archive
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
shared-key: ci-rust-cache
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
artifact-ids: ${{ needs.integration-tests-prepare.outputs.auth-transfer-artifact-id }}
path: ${{ runner.temp }}/integration-test-target
skip-decompress: true
- name: Test valid proof
env:
RUST_LOG: "info"
run: cargo test -p integration_tests -- --exact private::private_transfer_to_owned_account
RISC0_INFO: "1"
RUST_LOG: info,risc0_zkvm::host::client::prove::external=debug,risc0_zkvm::host::server::prove=debug,risc0_zkvm::host::recursion::prove=debug
run: |
archive="$RUNNER_TEMP/integration-test-target/integration-test-auth_transfer.tar.zst"
extract_dir="$RUNNER_TEMP/nextest-target"
mkdir -p "$extract_dir"
cargo-nextest nextest list \
--archive-file "$archive" \
--extract-to "$extract_dir" \
--workspace-remap "$GITHUB_WORKSPACE" \
--list-type binaries-only \
--message-format json \
--no-pager > /dev/null
rm -f "$archive"
echo "Starting non-development RISC Zero succinct proof."
cargo-nextest nextest run \
--cargo-metadata "$extract_dir/target/nextest/cargo-metadata.json" \
--binaries-metadata "$extract_dir/target/nextest/binaries-metadata.json" \
--target-dir-remap "$extract_dir/target" \
--workspace-remap "$GITHUB_WORKSPACE" \
--no-capture \
--show-progress none \
-E 'binary(=auth_transfer) & test(=private::private_transfer_to_owned_account)'
artifacts:
runs-on: ubuntu-latest
timeout-minutes: 60
name: artifacts
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.head_ref }}
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install active toolchain
run: rustup install --profile minimal
- uses: ./.github/actions/install-risc0
with:
profile: build
- name: Restore Rust cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
shared-key: ci-rust-cache
save-if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' }}
cache-bin: false
save-if: false
- name: Install just
run: cargo install --locked just
uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2.83.2
with:
tool: just@1.56.0
fallback: none
- name: Build artifacts
run: just build-artifacts

View File

@ -15,20 +15,20 @@ jobs:
risc0_base:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Log in to registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ secrets.DOCKER_REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push risc0 base image
uses: docker/build-push-action@v5
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
file: ./lez/docker/risc0-base.Dockerfile
@ -58,13 +58,13 @@ jobs:
dockerfile: ./lez/explorer_service/Dockerfile
build_args: ""
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Log in to registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ secrets.DOCKER_REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
@ -72,7 +72,7 @@ jobs:
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ${{ secrets.DOCKER_REGISTRY }}/${{ github.repository }}/${{ matrix.name }}
tags: |
@ -85,7 +85,7 @@ jobs:
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
uses: docker/build-push-action@v5
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
file: ${{ matrix.dockerfile }}
@ -94,5 +94,5 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
build-args: ${{ matrix.build_args }}
build-contexts: risc0_base=docker-image://${{ secrets.DOCKER_REGISTRY }}/${{ github.repository }}/risc0_base:sha-${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=gha,scope=${{ matrix.name }}
cache-to: type=gha,mode=max,scope=${{ matrix.name }}

View File

@ -110,9 +110,9 @@ impl SharedSecretKey {
/// Receiver: decapsulate the shared secret from a KEM ciphertext.
///
/// Returns `None` if the `EphemeralPublicKey` is not exactly [`ML_KEM_768_CIPHERTEXT_LEN`]
/// bytes — callers on the wallet scan path should skip the output rather than panic on
/// malformed chain data.
/// Returns `None` if the `EphemeralPublicKey` is not exactly
/// [`crate::ML_KEM_768_CIPHERTEXT_LEN`] bytes — callers on the wallet scan path should skip
/// the output rather than panic on malformed chain data.
///
/// `d` and `z` are the two 32-byte halves of the FIPS 203 `ViewingSecretKey` seed.
#[must_use]

View File

@ -1,4 +1,4 @@
//! This crate provides [`Program`]s and associated utilities used by LEZ.
//! This crate provides LEZ [`Program`](lee::program::Program) artifacts and related utilities.
#[cfg(feature = "artifacts")]
pub use inner::*;