feat(demo): ZK-Sudoku — real arkworks Groth16, verified by mosaic-gro… #115
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| merge_group: | |
| # Lock the workflow to read-only by default. Individual jobs can | |
| # escalate via their own `permissions:` block when they actually need | |
| # write access — none of the current jobs do. | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| RUSTFLAGS: -D warnings | |
| jobs: | |
| docs-changes: | |
| name: docs changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| typo-check: ${{ steps.filter.outputs.typo-check }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Pinned to v3.0.2 commit (SHA verified via | |
| # `gh api repos/dorny/paths-filter/git/ref/tags/v3.0.2`). | |
| # Audit firms expect SHA pins for every third-party action | |
| # under the `audit-first` posture documented in SECURITY.md. | |
| - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: filter | |
| with: | |
| filters: | | |
| typo-check: | |
| - "**/*.md" | |
| - "docs/**" | |
| - "typos.toml" | |
| - ".github/workflows/ci.yml" | |
| typo-check: | |
| name: typos | |
| runs-on: ubuntu-latest | |
| needs: docs-changes | |
| if: github.event_name != 'pull_request' || needs.docs-changes.outputs.typo-check == 'true' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Pinned to v1.46.0 commit (SHA verified via | |
| # `gh api repos/crate-ci/typos/git/ref/tags/v1.46.0`). | |
| - uses: crate-ci/typos@6ac2ebd1b93eade61faf7e12688ad87a073fea59 # v1.46.0 | |
| fmt: | |
| name: rustfmt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --all --check | |
| clippy: | |
| name: clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| # Layered clippy policy (see docs/lint-policy.md): | |
| # - correctness + suspicious → hard deny (real bugs). | |
| # - todo / unimplemented / panic-paths → hard deny (consensus risk). | |
| # - pedantic + nursery + cargo → warn at workspace level, visible in | |
| # the log but do NOT fail CI. Audit firms can read the lint log to | |
| # see what's suppressed and why. | |
| # | |
| # The blanket `-D warnings` would promote pedantic noise to error; | |
| # we deliberately list only the deny categories we actually want | |
| # to fail on. | |
| - run: | | |
| cargo clippy --workspace --all-features --all-targets -- \ | |
| -D clippy::correctness \ | |
| -D clippy::suspicious \ | |
| -D clippy::todo \ | |
| -D clippy::unimplemented | |
| test-host: | |
| name: tests (host) | |
| runs-on: ubuntu-latest | |
| env: | |
| # Needed by crates/mosaic-program/tests/verify_proof_sbf.rs; when | |
| # the SBF artifact is missing the test self-skips, so this env var | |
| # is only load-bearing in the test-sbf job below. | |
| BPF_OUT_DIR: ${{ github.workspace }}/target/deploy | |
| SBF_OUT_DIR: ${{ github.workspace }}/target/deploy | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo test --workspace --all-features | |
| test-sbf: | |
| name: tests (SBF integration) | |
| runs-on: ubuntu-latest | |
| needs: build-sbf | |
| env: | |
| BPF_OUT_DIR: ${{ github.workspace }}/target/deploy | |
| SBF_OUT_DIR: ${{ github.workspace }}/target/deploy | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install Solana CLI | |
| run: | | |
| sh -c "$(curl -sSfL https://release.anza.xyz/v3.0.15/install)" | |
| echo "$HOME/.local/share/solana/install/active_release/bin" >> "$GITHUB_PATH" | |
| - name: Build SBF program | |
| run: cargo build-sbf --tools-version v1.52 --manifest-path crates/mosaic-program/Cargo.toml | |
| - name: Run SBF integration tests | |
| run: cargo test -p mosaic-program --test verify_proof_sbf | |
| build-sbf: | |
| name: build-sbf | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - name: Install Solana CLI | |
| run: | | |
| sh -c "$(curl -sSfL https://release.anza.xyz/v3.0.15/install)" | |
| echo "$HOME/.local/share/solana/install/active_release/bin" >> "$GITHUB_PATH" | |
| # platform-tools v1.52 ships rustc 1.89.0-dev; needed because some | |
| # transitive deps (constant_time_eq 0.4.x via blake3) require | |
| # edition2024, which the v1.51 default (rustc 1.84) cannot parse. | |
| - run: cargo build-sbf --tools-version v1.52 --manifest-path crates/mosaic-program/Cargo.toml | |
| - name: Verify SBF artifact | |
| run: | | |
| test -f target/deploy/mosaic_program.so | |
| file target/deploy/mosaic_program.so | grep -q "ELF 64-bit LSB" | |
| doc: | |
| name: rustdoc | |
| runs-on: ubuntu-latest | |
| env: | |
| RUSTDOCFLAGS: -D warnings --cfg docsrs | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@nightly | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo +nightly doc --workspace --no-deps --all-features | |
| msrv: | |
| name: msrv | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@1.85.0 | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo check --workspace --all-features |