zama-ai · Eikix · Mar 9, 2026 · Mar 11, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -97,6 +97,7 @@ charts/
 # -----------------------------------------------------------------------------
 # Git-related (keep .git/ for build metadata, exclude others)
 # -----------------------------------------------------------------------------
+.git/lfs/
 .gitignore
 .gitattributes
 **/.gitkeep

@@ -2,7 +2,7 @@ name: test-suite-e2e-operators-tests
 
 # Github does not support more than 10 inputs for workflow_dispatch:
 # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#providing-inputs
-# Core, relayer and test-suite will use the default versions defined in the `fhevm-cli` script
+# Core, relayer and test-suite follow the latest-main defaults unless explicitly pinned
 on:
   workflow_dispatch:
     inputs:
@@ -82,6 +82,21 @@ jobs:
       contents: 'read' # Required to checkout repository code
       id-token: 'write' # Required for OIDC authentication
       packages: 'read' # Required to read GitHub packages/container registry
+    env:
+      GH_TOKEN: ${{ secrets.GHCR_READ_TOKEN || github.token }}
+      CONNECTOR_DB_MIGRATION_VERSION: ${{ inputs.connector_version }}
+      CONNECTOR_GW_LISTENER_VERSION: ${{ inputs.connector_version }}
+      CONNECTOR_KMS_WORKER_VERSION: ${{ inputs.connector_version }}
+      CONNECTOR_TX_SENDER_VERSION: ${{ inputs.connector_version }}
+      COPROCESSOR_DB_MIGRATION_VERSION: ${{ inputs.db_migration_version }}
+      HOST_VERSION: ${{ inputs.host_version }}
+      GATEWAY_VERSION: ${{ inputs.gateway_version }}
+      COPROCESSOR_HOST_LISTENER_VERSION: ${{ inputs.host_listener_version }}
+      COPROCESSOR_GW_LISTENER_VERSION: ${{ inputs.gateway_listener_version }}
+      COPROCESSOR_TX_SENDER_VERSION: ${{ inputs.tx_sender_version }}
+      COPROCESSOR_TFHE_WORKER_VERSION: ${{ inputs.tfhe_worker_version }}
+      COPROCESSOR_SNS_WORKER_VERSION: ${{ inputs.sns_worker_version }}
+      COPROCESSOR_ZKPROOF_WORKER_VERSION: ${{ inputs.zkproof_worker_version }}
     runs-on: ${{ needs.setup-instance.outputs.runner-name }}
     needs: setup-instance
     timeout-minutes: 1440
@@ -90,11 +105,25 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: 'false'
+          fetch-depth: 0
 
       - name: Setup Docker
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: Install Foundry
+      - name: Install unzip
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y unzip
+
+      - name: Install GitHub CLI
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gh
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+
+      - name: Install foundry
         uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
 
       - name: Login to GitHub Container Registry
@@ -111,24 +140,15 @@ jobs:
           username: ${{ secrets.CGR_USERNAME }}
           password: ${{ secrets.CGR_PASSWORD }}
 
+      - name: Install CLI deps
+        working-directory: test-suite/fhevm
+        run: |
+          bun install --frozen-lockfile
+
       - name: Deploy fhevm Stack
         working-directory: test-suite/fhevm
-        env:
-          CONNECTOR_DB_MIGRATION_VERSION: ${{ inputs.connector_version }}
-          CONNECTOR_GW_LISTENER_VERSION: ${{ inputs.connector_version }}
-          CONNECTOR_KMS_WORKER_VERSION: ${{ inputs.connector_version }}
-          CONNECTOR_TX_SENDER_VERSION: ${{ inputs.connector_version }}
-          DB_MIGRATION_VERSION: ${{ inputs.db_migration_version }}
-          HOST_VERSION: ${{ inputs.host_version }}
-          GATEWAY_VERSION: ${{ inputs.gateway_version }}
-          HOST_LISTENER_VERSION: ${{ inputs.host_listener_version }}
-          GW_LISTENER_VERSION: ${{ inputs.gateway_listener_version }}
-          TX_SENDER_VERSION: ${{ inputs.tx_sender_version }}
-          TFHE_WORKER_VERSION: ${{ inputs.tfhe_worker_version }}
-          SNS_WORKER_VERSION: ${{ inputs.sns_worker_version }}
-          ZKPROOF_WORKER_VERSION: ${{ inputs.zkproof_worker_version }}
         run: |
-          ./fhevm-cli deploy --coprocessors 2 --coprocessor-threshold 2
+          ./fhevm-cli up --target latest-main --scenario ./scenarios/two-of-two.yaml
 
       - name: All operators tests
         working-directory: test-suite/fhevm
@@ -142,32 +162,39 @@ jobs:
 
       - name: Show logs on test failure
         working-directory: test-suite/fhevm
-        if: always()
+        if: failure()
         run: |
-          echo "::group::Relayer Logs"
-          ./fhevm-cli logs relayer
-          echo "::endgroup::"
-          echo "::group::SNS Worker Logs"
-          ./fhevm-cli logs sns-worker | grep -v "Selected 0 rows to process"
-          echo "::endgroup::"
-          echo "::group::Transaction Sender Logs (filtered)"
-          ./fhevm-cli logs transaction-sender | grep -v "Selected 0 rows to process"
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - SNS Worker"
-          ./fhevm-cli logs coprocessor-2-sns-worker 2>/dev/null | grep -v "Selected 0 rows to process" || true
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - Transaction Sender (filtered)"
-          ./fhevm-cli logs coprocessor-2-transaction-sender 2>/dev/null | grep -v "Selected 0 rows to process" || true
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - TFHE Worker"
-          ./fhevm-cli logs coprocessor-2-tfhe-worker 2>/dev/null || true
-          echo "::endgroup::"
+          snapshot_logs() {
+            local group="$1"
+            local container="$2"
+            local filter="${3:-}"
+            echo "::group::${group}"
+            if [ -n "$filter" ]; then
+              docker logs --tail 200 "${container}" 2>&1 | grep -v "$filter" || true
+            else
+              docker logs --tail 200 "${container}" 2>&1 || true
+            fi
+            echo "::endgroup::"
+          }
+          snapshot_logs "Relayer Logs" fhevm-relayer
+          snapshot_logs "Host Listener" coprocessor-host-listener
+          snapshot_logs "Gateway Listener" coprocessor-gw-listener
+          snapshot_logs "SNS Worker Logs" coprocessor-sns-worker "Selected 0 rows to process"
+          snapshot_logs "Transaction Sender Logs (filtered)" coprocessor-transaction-sender "Selected 0 rows to process"
+          snapshot_logs "ZKProof Worker" coprocessor-zkproof-worker
+          snapshot_logs "TFHE Worker" coprocessor-tfhe-worker
+          snapshot_logs "Coprocessor 2 - Host Listener" coprocessor1-host-listener
+          snapshot_logs "Coprocessor 2 - Gateway Listener" coprocessor1-gw-listener
+          snapshot_logs "Coprocessor 2 - SNS Worker" coprocessor1-sns-worker "Selected 0 rows to process"
+          snapshot_logs "Coprocessor 2 - Transaction Sender (filtered)" coprocessor1-transaction-sender "Selected 0 rows to process"
+          snapshot_logs "Coprocessor 2 - ZKProof Worker" coprocessor1-zkproof-worker
+          snapshot_logs "Coprocessor 2 - TFHE Worker" coprocessor1-tfhe-worker
 
       - name: Cleanup
         working-directory: test-suite/fhevm
         if: always()
         run: |
-          ./fhevm-cli clean
+          ./fhevm-cli clean --images
 
   teardown-instance:
     name: test-suite-e2e-operators-tests/teardown

@@ -1,8 +1,13 @@
 name: test-suite-e2e-tests
 
 on:
+  pull_request:
   workflow_dispatch:
     inputs: &workflow_inputs
+      build:
+        description: "Build repo-owned images from the checked out branch on the runner"
+        default: true
+        type: boolean
       coprocessor-db-migration-version:
         description: "Coprocessor DB Migration Image Version"
         default: ""
@@ -59,18 +64,6 @@ on:
         description: "Test suite version"
         default: ""
         type: string
-      relayer-version:
-        description: "Relayer version"
-        default: ""
-        type: string
-      kms-core-version:
-        description: "KMS Core version"
-        default: ""
-        type: string
-      deploy-build:
-        description: "Build local Docker images from the checked out repository before deploy"
-        default: false
-        type: boolean
   workflow_call:
     secrets:
       GHCR_READ_TOKEN:
@@ -83,10 +76,10 @@ on:
 
 permissions: {}
 
-# Allow to run multiple instances of the same workflow in parallel when triggered manually
+# Cancel stale PR runs on new pushes while keeping manual dispatches independent.
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || 'auto' }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.ref }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || 'auto' }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || github.ref != 'refs/heads/main' }}
 
 jobs:
   fhevm-e2e-test:
@@ -95,6 +88,8 @@ jobs:
       id-token: 'write' # Required for OIDC authentication
       packages: 'read' # Required to read GitHub packages/container registry
     env:
+      GH_TOKEN: ${{ secrets.GHCR_READ_TOKEN || github.token }}
+      BUILD: ${{ github.event_name == 'pull_request' && 'true' || (inputs.build && 'true' || 'false') }}
       COPROCESSOR_DB_MIGRATION_VERSION: ${{ inputs.coprocessor-db-migration-version }}
       COPROCESSOR_HOST_LISTENER_VERSION: ${{ inputs.coprocessor-host-listener-version }}
       COPROCESSOR_GW_LISTENER_VERSION: ${{ inputs.coprocessor-gw-listener-version }}
@@ -109,19 +104,21 @@ jobs:
       CONNECTOR_KMS_WORKER_VERSION: ${{ inputs.connector-kms-worker-version }}
       CONNECTOR_TX_SENDER_VERSION: ${{ inputs.connector-tx-sender-version }}
       TEST_SUITE_VERSION: ${{ inputs.test-suite-version }}
-      RELAYER_VERSION: ${{ inputs.relayer-version }}
-      CORE_VERSION: ${{ inputs.kms-core-version }}
     runs-on: large_ubuntu_32
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: 'false'
+          fetch-depth: 0
 
       - name: Setup Docker
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: Install Foundry
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+
+      - name: Install foundry
         uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
 
       - name: Login to GitHub Container Registry
@@ -138,22 +135,27 @@ jobs:
           username: ${{ secrets.CGR_USERNAME }}
           password: ${{ secrets.CGR_PASSWORD }}
 
-      - name: Display component versions
-        env:
-          JSON_INPUT: ${{ toJSON(inputs) }}
+      - name: Install CLI deps
+        working-directory: test-suite/fhevm
+        run: bun install --frozen-lockfile
+
+      - name: Dry run
+        working-directory: test-suite/fhevm
         run: |
-          echo "Component versions: $JSON_INPUT"
+          args=(--target latest-main --scenario ./scenarios/two-of-two.yaml)
+          if [ "$BUILD" = "true" ]; then
+            args+=(--build)
+          fi
+          ./fhevm-cli up "${args[@]}" --dry-run
 
-      - name: Deploy fhevm Stack
+      - name: Boot fhevm Stack
         working-directory: test-suite/fhevm
-        env:
-          DEPLOY_BUILD: ${{ inputs.deploy-build }}
         run: |
-          if [[ "$DEPLOY_BUILD" == 'true' ]]; then
-            ./fhevm-cli deploy --build --coprocessors 2 --coprocessor-threshold 2
-          else
-            ./fhevm-cli deploy --coprocessors 2 --coprocessor-threshold 2
+          args=(--target latest-main --scenario ./scenarios/two-of-two.yaml)
+          if [ "$BUILD" = "true" ]; then
+            args+=(--build)
           fi
+          ./fhevm-cli up "${args[@]}"
 
       # E2E tests on pausing the Host contracts
       - name: Pause Host Contracts
@@ -252,41 +254,36 @@ jobs:
 
       - name: Show logs on test failure
         working-directory: test-suite/fhevm
-        if: always()
+        if: failure()
         run: |
-          echo "::group::Relayer Logs"
-          ./fhevm-cli logs fhevm-relayer
-          echo "::endgroup::"
-          echo "::group::SNS Worker Logs"
-          ./fhevm-cli logs coprocessor-sns-worker | grep -v "Selected 0 rows to process"
-          echo "::endgroup::"
-          echo "::group::Transaction Sender Logs (filtered)"
-          ./fhevm-cli logs coprocessor-transaction-sender | grep -v "Selected 0 rows to process"
-          echo "::endgroup::"
-          echo "::group::Host Listener"
-          ./fhevm-cli logs coprocessor-host-listener
-          echo "::endgroup::"
-          echo "::group::Gateway Listener"
-          ./fhevm-cli logs coprocessor-gw-listener
-          echo "::endgroup::"
-          echo "::group::ZKProof Worker"
-          ./fhevm-cli logs coprocessor-zkproof-worker
-          echo "::endgroup::"
-          echo "::group::TFHE Worker"
-          ./fhevm-cli logs coprocessor-tfhe-worker
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - SNS Worker"
-          ./fhevm-cli logs coprocessor-2-sns-worker 2>/dev/null | grep -v "Selected 0 rows to process" || true
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - Transaction Sender (filtered)"
-          ./fhevm-cli logs coprocessor-2-transaction-sender 2>/dev/null | grep -v "Selected 0 rows to process" || true
-          echo "::endgroup::"
-          echo "::group::Coprocessor 2 - TFHE Worker"
-          ./fhevm-cli logs coprocessor-2-tfhe-worker 2>/dev/null || true
-          echo "::endgroup::"
+          snapshot_logs() {
+            local group="$1"
+            local container="$2"
+            local filter="${3:-}"
+            echo "::group::${group}"
+            if [ -n "$filter" ]; then
+              docker logs --tail 200 "${container}" 2>&1 | grep -v "$filter" || true
+            else
+              docker logs --tail 200 "${container}" 2>&1 || true
+            fi
+            echo "::endgroup::"
+          }
+          snapshot_logs "Relayer Logs" fhevm-relayer
+          snapshot_logs "SNS Worker Logs" coprocessor-sns-worker "Selected 0 rows to process"
+          snapshot_logs "Transaction Sender Logs (filtered)" coprocessor-transaction-sender "Selected 0 rows to process"
+          snapshot_logs "Host Listener" coprocessor-host-listener
+          snapshot_logs "Gateway Listener" coprocessor-gw-listener
+          snapshot_logs "ZKProof Worker" coprocessor-zkproof-worker
+          snapshot_logs "TFHE Worker" coprocessor-tfhe-worker
+          snapshot_logs "Coprocessor 2 - Host Listener" coprocessor1-host-listener
+          snapshot_logs "Coprocessor 2 - Gateway Listener" coprocessor1-gw-listener
+          snapshot_logs "Coprocessor 2 - SNS Worker" coprocessor1-sns-worker "Selected 0 rows to process"
+          snapshot_logs "Coprocessor 2 - Transaction Sender (filtered)" coprocessor1-transaction-sender "Selected 0 rows to process"
+          snapshot_logs "Coprocessor 2 - ZKProof Worker" coprocessor1-zkproof-worker
+          snapshot_logs "Coprocessor 2 - TFHE Worker" coprocessor1-tfhe-worker
 
       - name: Cleanup
         working-directory: test-suite/fhevm
         if: always()
         run: |
-          ./fhevm-cli clean
+          ./fhevm-cli clean --images