ci: add PR verification workflow#18
Open
rz1989s wants to merge 1 commit into
Open
Conversation
This repo had no PR CI, so Dependabot bumps landed unverified (sip-protocol/sip-protocol#1186). Add a workflow that runs on PRs and pushes to main: - cargo check -p encrypted-ixs — compiles the Arcis circuit crate and its arcis/blake3/arcium-core dependency tree (rust 1.89.0). - npm ci — verifies the npm lockfile resolves. The on-chain Anchor program build is intentionally out of scope: its Arcium macros need build/*.arcis from the Arcium toolchain, tracked with the Anchor 1.0 toolchain work (sip-protocol/sip-protocol#1161). Refs sip-protocol/sip-protocol#1186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a
CIworkflow that runs on PRs and pushes tomaster:cargo check (encrypted-ixs)— compiles the Arcis circuit crate and itsarcis/blake3/arcium-core/solana-zk-sdkdependency tree (rust 1.89.0, pinned byrust-toolchain.toml). ~14s locally.npm ci— verifies the npm lockfile resolves.Why
Per the org Dependabot audit (sip-protocol/sip-protocol#1186), this repo had no PR CI, so its open Dependabot bumps (anchor-lang, arcium-*, chai, mocha, ts-mocha, typescript, actions, …) were landing unverified.
Honest scope note
The on-chain Anchor program (
programs/sip_arcium_transfer) is intentionally not built here. Its#[arcium_program]/#[arcium_callback]macros require the Arcis circuits to be pre-compiled tobuild/*.arcisby the Arcium toolchain (arcium build+ solana + anchor);cargo check --workspacepanics without them. Standing that up in CI is tracked with the Anchor 1.0 toolchain reconciliation (sip-protocol/sip-protocol#1161). So this verifies only what compiles/resolves without the toolchain (the circuit crate + npm) — it is not full program-compile coverage, consistent with the audit's "CI-pass ≠ safe for majors" guidance.Verification
Validated locally (rust 1.89.0):
cargo check -p encrypted-ixs→ clean (13.7s);npm ci→ resolves. The Linux path is exercised by this PR's own CI run.Refs sip-protocol/sip-protocol#1186