Skip to content
PR tests (with secrets)

Superblocks type #21

Sign in to view logs

Superblocks type

Superblocks type #21

Workflow file for this run

.github/workflows/pr-tests-with-secrets.yml at 5e4e783
name: PR tests (with secrets)
# This workflow uses pull_request_target to allow external PRs to access secrets
# after a maintainer approves the workflow run
#
# SECURITY NOTE: This workflow intentionally checks out untrusted code from PRs
# to run tests with secrets. This is safe because:
# 1. GitHub requires maintainer approval before running for external contributors
# 2. The workflow code itself (this file) is controlled and runs from base branch
# 3. We only run predefined build/test commands, not arbitrary PR code
# 4. Cache poisoning risk is acceptable for these specific test jobs
on:
# also allow this to be run manually (so we can test changes to the workflow in a branch)
workflow_dispatch:
pull_request_target:
types: [opened, synchronize, reopened]
# cancel any previous running workflows for the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
# Minimal permissions for security
permissions:
contents: read
env:
CARGO_TERM_COLOR: always
POWDR_OPENVM_SEGMENT_DELTA: 50000
jobs:
test_apc_reth_compilation:
runs-on: warp-ubuntu-2404-x64-8x
steps:
# IMPORTANT: Checkout the PR head, not the base branch
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
submodules: recursive
- name: ⚡ Cache rust
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-release-${{ hashFiles('**/Cargo.toml') }}
- name: Build
run: cargo build --release -p powdr-openvm
- name: Install cargo openvm
# Rust 1.90 is needed by fresher versions of dependencies of cargo-openvm.
run: |
rustup toolchain install 1.90
cargo +1.90 install --git 'http://github.com/powdr-labs/openvm.git' --tag "v1.4.2-powdr-rc.1" --locked cargo-openvm
- name: Patch benchmark
uses: ./.github/actions/patch-openvm-reth-benchmark
- name: Run small execution test with APCs
run: |
cd openvm-reth-benchmark
echo "export RPC_1=${{ secrets.RPC_1 }}" >> .env
PGO_TYPE="instruction" /usr/bin/time -v ./run.sh --apc 10 --mode compile
# Check that reth commit is on main.
# Do that after the actual test so that the step above passes when checking that a
# reth PR commit works with a powdr PR.
- name: Verify openvm-reth-benchmark ref is on main
shell: bash
run: |
cd openvm-reth-benchmark
if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
git fetch --quiet --unshallow origin main
else
git fetch --quiet origin main
fi
if ! git merge-base --is-ancestor HEAD origin/main; then
echo "Pinned ref is not in origin/main history."
echo "HEAD: $(git rev-parse HEAD)"
echo "origin/main: $(git rev-parse origin/main)"
exit 1
fi
test_apc_reth_app_proof:
runs-on: warp-ubuntu-2404-x64-32x
steps:
# IMPORTANT: Checkout the PR head, not the base branch
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
submodules: recursive
- name: ⚡ Cache rust
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-release-apc-reth-app-proof-${{ hashFiles('**/Cargo.toml') }}
- name: Build
run: cargo build --release -p powdr-openvm
- name: Install cargo openvm
# Rust 1.90 is needed by fresher versions of dependencies of cargo-openvm.
run: |
rustup toolchain install 1.90
cargo +1.90 install --git 'http://github.com/powdr-labs/openvm.git' --tag "v1.4.2-powdr-rc.1" --locked cargo-openvm
- name: Setup python venv
run: |
python3 -m venv .venv
source .venv/bin/activate
pip install -r openvm/scripts/requirements.txt
pip install -r autoprecompiles/scripts/requirements.txt
- name: Patch benchmark
uses: ./.github/actions/patch-openvm-reth-benchmark
- name: Run reth benchmark
run: |
source .venv/bin/activate
cd openvm-reth-benchmark
RES_DIR=reth
mkdir -p $RES_DIR
echo "export RPC_1=${{ secrets.RPC_1 }}" >> .env
# prove with 3 APCs
APC=3 ./run.sh --mode prove-app || exit 1
echo "Finished proving with 3 APCs"