Merge of #2331

Author: mergify[bot]

.github/workflows/test-suite-compatibility-matrix.yml

@@ -0,0 +1,123 @@
+name: test-suite-compatibility-matrix
+
+on:
+  pull_request:
+    # Include label events so applying or removing `rollout` reevaluates the
+    # job-level gate below without requiring a new commit.
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+      - unlabeled
+  workflow_dispatch:
+    inputs:
+      compat-test:
+        description: "Compat-test JSON path or stem from test-suite/fhevm/compat-tests"
+        default: "v0.12-to-main"
+        type: string
+
+permissions: {}
+
+concurrency:
+  group: test-suite-compatibility-matrix-${{ github.ref }}-${{ inputs.compat-test || 'v0.12-to-main' }}-${{ github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  prepare_rollout:
+    name: prepare-rollout
+    # On PRs, only same-repo heads with the `rollout` label may enter this
+    # secreted compat path. Manual dispatch remains always available.
+    if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && contains(github.event.pull_request.labels.*.name, 'rollout')) }}
+    permissions:
+      contents: 'read' # Required to checkout repository code
+      packages: 'read' # Required to resolve published GitHub Container Registry package tags
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GHCR_READ_TOKEN || github.token }}
+    outputs:
+      compat_test: ${{ steps.prepare.outputs.compat_test }}
+      matrix: ${{ steps.prepare.outputs.matrix }}
+      scenario: ${{ steps.prepare.outputs.scenario }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+
+      - name: Install GitHub CLI
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gh
+
+      - name: Install CLI deps
+        working-directory: test-suite/fhevm
+        run: bun install --frozen-lockfile
+
+      - id: prepare
+        name: Resolve compat-test and generate rollout matrix
+        working-directory: test-suite/fhevm
+        env:
+          COMPAT_TEST_INPUT: ${{ github.event.inputs.compat-test || 'v0.12-to-main' }}
+        run: |
+          set -euo pipefail
+          resolve_test() {
+            local value="$1"
+            local workspace_value="${GITHUB_WORKSPACE}/${value}"
+            local compat_dir="${GITHUB_WORKSPACE}/test-suite/fhevm/compat-tests"
+            if [ -f "$value" ]; then
+              realpath "$value"
+              return
+            fi
+            if [ -f "$workspace_value" ]; then
+              realpath "$workspace_value"
+              return
+            fi
+            if [ -f "${compat_dir}/${value}.json" ]; then
+              realpath "${compat_dir}/${value}.json"
+              return
+            fi
+            if [ -f "${compat_dir}/${value}" ]; then
+              realpath "${compat_dir}/${value}"
+              return
+            fi
+            echo "Could not resolve compat-test: $value" >&2
+            exit 1
+          }
+          compat_test="$(resolve_test "$COMPAT_TEST_INPUT")"
+          compat_test_rel="${compat_test#"$GITHUB_WORKSPACE"/}"
+          scenario="$(jq -r '.execution.scenario // "two-of-two"' "$compat_test")"
+          matrix="$(./fhevm-cli rollout --compat-test "$compat_test" --matrix)"
+          {
+            echo "compat_test=$compat_test_rel"
+            echo "scenario=$scenario"
+            echo "matrix<<EOF"
+            echo "$matrix"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+  compatibility-e2e:
+    name: compatibility-${{ matrix.name }}
+    needs: [prepare_rollout]
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.prepare_rollout.outputs.matrix) }}
+    uses: ./.github/workflows/test-suite-e2e-tests.yml
+    permissions:
+      contents: 'read' # Required by the called workflow to checkout repository code
+      id-token: 'write' # Required by the called workflow for OIDC-authenticated actions
+      packages: 'read' # Required by the called workflow to pull GitHub Container Registry images
+    secrets:
+      GHCR_READ_TOKEN: ${{ secrets.GHCR_READ_TOKEN }}
+      CGR_USERNAME: ${{ secrets.CGR_USERNAME }}
+      CGR_PASSWORD: ${{ secrets.CGR_PASSWORD }}
+    with:
+      build: false
+      compat-test: ${{ needs.prepare_rollout.outputs.compat_test }}
+      rollout-step: ${{ matrix.stepIndex }}
+      scenario: ${{ needs.prepare_rollout.outputs.scenario }}
+      test-profile: standard

.github/workflows/test-suite-e2e-tests.yml

@@ -9,7 +9,7 @@ on:
       - labeled
       - unlabeled
   workflow_dispatch:
-    inputs: &workflow_inputs
+    inputs: &shared_inputs
       orchestrated:
         description: "Run from the orchestrated image-validation path."
         default: false
@@ -82,8 +82,16 @@ on:
         description: "Relayer version"
         default: ""
         type: string
+      compat-test:
+        description: "Compat-test JSON path or stem under test-suite/fhevm/compat-tests"
+        default: ""
+        type: string
+      rollout-step:
+        description: "Compat rollout step index to render locally before boot"
+        default: ""
+        type: string
       lock-artifact-name:
-        description: "Uploaded lock artifact name used to freeze the baseline bundle"
+        description: "Uploaded lock artifact name used to freeze the resolved bundle"
         default: ""
         type: string
       kms-core-version:
@@ -94,6 +102,10 @@ on:
         description: "Deployment scenario (e.g. two-of-two, two-of-two-multi-chain)"
         default: "two-of-two"
         type: string
+      test-profile:
+        description: "Named test profile to run instead of the default standard suite"
+        default: "standard"
+        type: string
   workflow_call:
     secrets:
       GHCR_READ_TOKEN:
@@ -102,26 +114,26 @@ on:
         required: true
       CGR_PASSWORD:
         required: true
-    inputs: *workflow_inputs
+    inputs: *shared_inputs
 
 permissions: {}
 
 # Cancel stale PR runs on new pushes while keeping manual dispatches independent.
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.ref }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || 'auto' }}
+  group: ${{ github.workflow }}-${{ inputs.rollout-step != '' && format('compat-{0}-{1}-{2}', github.event_name == 'pull_request' && github.event.pull_request.number || github.ref, inputs.compat-test || 'default', inputs.rollout-step) || github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.ref }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || 'auto' }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' || github.ref != 'refs/heads/main' }}
 
 jobs:
   fhevm-e2e-test:
     # Run on manual/reusable invocations. For direct PRs, require the `e2e` label.
-    if: ${{ github.event_name != 'pull_request' || inputs.orchestrated || (github.event.pull_request.head.repo.full_name == github.repository && !startsWith(github.head_ref, 'mergify/merge-queue/') && contains(github.event.pull_request.labels.*.name, 'e2e')) }}
+    if: ${{ github.event_name != 'pull_request' || inputs.orchestrated || inputs.compat-test != '' || (github.event.pull_request.head.repo.full_name == github.repository && !startsWith(github.head_ref, 'mergify/merge-queue/') && contains(github.event.pull_request.labels.*.name, 'e2e')) }}
     permissions:
       contents: 'read' # Required to checkout repository code
       id-token: 'write' # Required for OIDC authentication
       packages: 'read' # Required to read GitHub packages/container registry
     env:
       GH_TOKEN: ${{ github.token }}
-      BUILD: ${{ inputs.orchestrated && 'false' || github.event_name == 'pull_request' && 'true' || inputs.build && 'true' || 'false' }}
+      BUILD: ${{ inputs.compat-test != '' && 'false' || inputs.orchestrated && 'false' || github.event_name == 'pull_request' && 'true' || inputs.build && 'true' || 'false' }}
       COPROCESSOR_DB_MIGRATION_VERSION: ${{ inputs.coprocessor-db-migration-version }}
       COPROCESSOR_HOST_LISTENER_VERSION: ${{ inputs.coprocessor-host-listener-version }}
       COPROCESSOR_GW_LISTENER_VERSION: ${{ inputs.coprocessor-gw-listener-version }}
@@ -140,6 +152,7 @@ jobs:
       RELAYER_VERSION: ${{ inputs.relayer-version }}
       CORE_VERSION: ${{ inputs.kms-core-version }}
       SCENARIO: ${{ inputs.scenario || 'two-of-two' }}
+      TEST_PROFILE: ${{ inputs.test-profile || 'standard' }}
     runs-on: large_ubuntu_32
     steps:
       - name: Checkout code
@@ -181,26 +194,29 @@ jobs:
           sudo apt-get install -y gh
 
       - name: Typecheck CLI
+        if: ${{ inputs.compat-test == '' }}
         working-directory: test-suite/fhevm
         run: bun run check
 
       - name: Unit test CLI
+        if: ${{ inputs.compat-test == '' }}
         working-directory: test-suite/fhevm
         run: bun test src
 
       - name: Compat smoke
+        if: ${{ inputs.compat-test == '' }}
         working-directory: test-suite/fhevm
         run: bun run compat-smoke
 
       - name: Download frozen baseline lock
-        if: ${{ inputs.lock-artifact-name != '' }}
+        if: ${{ inputs.compat-test == '' && inputs.lock-artifact-name != '' }}
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ inputs.lock-artifact-name }}
           path: ${{ runner.temp }}/baseline-lock
 
       - name: Resolve frozen lock path
-        if: ${{ inputs.lock-artifact-name != '' }}
+        if: ${{ inputs.compat-test == '' && inputs.lock-artifact-name != '' }}
         run: |
           set -euo pipefail
           lock_file="$(find "${RUNNER_TEMP}/baseline-lock" -maxdepth 1 -name '*.json' -print -quit)"
@@ -210,8 +226,49 @@ jobs:
           fi
           echo "LOCK_FILE=$lock_file" >> "$GITHUB_ENV"
 
+      - name: Render compat rollout step
+        if: ${{ inputs.compat-test != '' }}
+        working-directory: test-suite/fhevm
+        env:
+          COMPAT_TEST_INPUT: ${{ inputs.compat-test }}
+          ROLLOUT_STEP_INPUT: ${{ inputs.rollout-step }}
+        run: |
+          set -euo pipefail
+          resolve_test() {
+            local value="$1"
+            local workspace_value="${GITHUB_WORKSPACE}/${value}"
+            local compat_dir="${GITHUB_WORKSPACE}/test-suite/fhevm/compat-tests"
+            if [ -f "$value" ]; then
+              realpath "$value"
+              return
+            fi
+            if [ -f "$workspace_value" ]; then
+              realpath "$workspace_value"
+              return
+            fi
+            if [ -f "${compat_dir}/${value}.json" ]; then
+              realpath "${compat_dir}/${value}.json"
+              return
+            fi
+            if [ -f "${compat_dir}/${value}" ]; then
+              realpath "${compat_dir}/${value}"
+              return
+            fi
+            echo "Could not resolve compat-test: $value" >&2
+            exit 1
+          }
+          compat_test="$(resolve_test "$COMPAT_TEST_INPUT")"
+          lock_file="${RUNNER_TEMP}/compat-step.lock.json"
+          ./fhevm-cli rollout --compat-test "$compat_test" --step "${ROLLOUT_STEP_INPUT:-0}" --out "$lock_file"
+          echo "LOCK_FILE=$lock_file" >> "$GITHUB_ENV"
+
+      - name: Resolve compat local overrides
+        if: ${{ inputs.compat-test != '' }}
+        run: |
+          echo "COMPAT_OVERRIDES=test-suite" >> "$GITHUB_ENV"
+
       - name: Resolve latest-main lock once
-        if: ${{ inputs.lock-artifact-name == '' && !inputs.orchestrated }}
+        if: ${{ inputs.compat-test == '' && inputs.lock-artifact-name == '' && !inputs.orchestrated }}
         working-directory: test-suite/fhevm
         run: |
           lock_file="$(./fhevm-cli resolve --target latest-main | tail -n1)"
@@ -233,6 +290,12 @@ jobs:
           if [ "$BUILD" = "true" ]; then
             args+=(--build)
           fi
+          if [ -n "${COMPAT_OVERRIDES:-}" ]; then
+            IFS=',' read -r -a override_groups <<< "$COMPAT_OVERRIDES"
+            for group in "${override_groups[@]}"; do
+              [ -n "$group" ] && args+=(--override "$group")
+            done
+          fi
           ./fhevm-cli up "${args[@]}" --dry-run
 
       - name: Boot fhevm Stack
@@ -247,19 +310,28 @@ jobs:
           if [ "$BUILD" = "true" ]; then
             args+=(--build)
           fi
+          if [ -n "${COMPAT_OVERRIDES:-}" ]; then
+            IFS=',' read -r -a override_groups <<< "$COMPAT_OVERRIDES"
+            for group in "${override_groups[@]}"; do
+              [ -n "$group" ] && args+=(--override "$group")
+            done
+          fi
           ./fhevm-cli up "${args[@]}"
 
-      - name: Standard e2e suite
+      - name: Selected e2e suite
         working-directory: test-suite/fhevm
         run: |
-          ./fhevm-cli test standard
+          ./fhevm-cli test "$TEST_PROFILE"
 
       - name: Host listener poller test
+        if: ${{ inputs.test-profile == '' || inputs.test-profile == 'standard' }}
         working-directory: test-suite/fhevm
         run: |
+          trap 'docker start coprocessor-host-listener >/dev/null 2>&1 || true' EXIT
           docker stop coprocessor-host-listener
           ./fhevm-cli test erc20
           docker start coprocessor-host-listener
+          trap - EXIT
 
       - name: Show logs
         working-directory: test-suite/fhevm

coprocessor/fhevm-engine/Dockerfile.workspace

@@ -201,13 +201,15 @@ COPY --from=sqlx_builder /usr/local/cargo/bin/sqlx /usr/local/bin/sqlx
 COPY coprocessor/fhevm-engine/db-migration/initialize_db.sh /initialize_db.sh
 COPY coprocessor/fhevm-engine/db-migration/insert_test_host_chain.sh /insert_test_host_chain.sh
 COPY coprocessor/fhevm-engine/db-migration/migrations /migrations
+COPY coprocessor/fhevm-engine/db-migration/db-scripts /db-scripts
+COPY coprocessor/fhevm-engine/db-migration/revert_coprocessor_db_state.sh /revert_coprocessor_db_state.sh
 
 # Copy user/group from builder for consistency
 COPY --from=builder /etc/group /etc/group
 COPY --from=builder /etc/passwd /etc/passwd
 
 # Set ownership
-RUN chown -R fhevm:fhevm /initialize_db.sh /insert_test_host_chain.sh /migrations
+RUN chown -R fhevm:fhevm /initialize_db.sh /insert_test_host_chain.sh /migrations /db-scripts /revert_coprocessor_db_state.sh
 
 USER fhevm:fhevm
 

test-suite/e2e/Dockerfile

@@ -1,7 +1,9 @@
 ARG NODE_VERSION=20.19.1-alpine3.21
+ARG RELAYER_SDK_VERSION=""
 
 # --- Builder Stage ---
 FROM node:${NODE_VERSION} AS builder
+ARG RELAYER_SDK_VERSION=""
 
 WORKDIR /app
 
@@ -26,7 +28,10 @@ COPY test-suite/e2e/package.json ./test-suite/e2e/
 
 # Install dependencies
 RUN npm ci && \
-    npm prune
+    npm prune && \
+    if [ -n "$RELAYER_SDK_VERSION" ]; then \
+      npm install --prefix test-suite/e2e --no-save "@zama-fhe/relayer-sdk@${RELAYER_SDK_VERSION}"; \
+    fi
 
 # Copy sources after deps are cached
 COPY library-solidity ./library-solidity