Skip to content
Back to pull request #12148

feat: recording circuit inputs + oracles #1071

Sign in to view logs

feat: recording circuit inputs + oracles

feat: recording circuit inputs + oracles #1071

Workflow file for this run

.github/workflows/ci3-external.yml at 1457278
# CI for external Aztec contributors. Like ci3.yml, but more locked down.
name: CI3 (External)
on:
# For external devs. Workflow file edits won't take effect in the PR.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, labeled]
concurrency:
# Only allow one run per <forked-repo>/<branch>.
group: |
ci3-external-${{format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.head_ref)}}
cancel-in-progress: true
jobs:
ci-external:
runs-on: ubuntu-latest
# exclusive with ci3.yml, only run on forks.
if: github.event.pull_request.head.repo.full_name != github.repository
steps:
#############
# Prepare Env
#############
- name: Checkout
uses: actions/checkout@v4
with:
# The commit to checkout. We want our actual commit, and not the result of merging the PR to the target.
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Fail If Draft
if: github.event.pull_request.draft && (github.event.action != 'labeled' || github.event.label.name != 'trigger-workflow')
run: echo "CI is not run on drafts." && exit 1
- name: External Contributor Checks
# Run only if a pull request event type and we have a forked repository origin.
if: |
(github.event_name == 'pull_request' || github.event_name == 'pull_request_target') &&
github.event.pull_request.head.repo.full_name != github.repository
run: |
set -o pipefail
git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 &>/dev/null
forbidden_changes=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD -- ci3 .github ci.sh)
if echo "$forbidden_changes" | grep -q .; then
echo "Error: External PRs can't contain CI changes (forbidden files: $forbidden_changes)."
exit 1
fi
if [ ${{ github.event.pull_request.base.ref }} != "master" ]; then
echo "Error: External PRs can only target master, targeted: ${{ github.event.pull_request.base.ref }}."
exit 1
fi
labeled="${{contains(github.event.pull_request.labels.*.name, 'ci-external') || contains(github.event.pull_request.labels.*.name, 'ci-external-once')}}"
if [ "$labeled" = false ]; then
echo "External PRs need the 'ci-external' or 'ci-external-once' labels to run."
exit 1
fi
# Remove any ci-external-once labels.
GITHUB_TOKEN=${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} gh pr edit ${{ github.event.pull_request.number }} --remove-label "ci-external-once"
- name: CI Full Override
# TODO consolidate legacy labels to just ci-full.
if: |
contains(github.event.pull_request.labels.*.name, 'e2e-all') ||
contains(github.event.pull_request.labels.*.name, 'network-all') ||
contains(github.event.pull_request.labels.*.name, 'ci-full')
run: echo "CI_FULL=1" >> $GITHUB_ENV
- name: Setup
run: |
# Ensure we can SSH into the spot instances we request.
mkdir -p ~/.ssh
echo ${{ secrets.BUILD_INSTANCE_SSH_KEY }} | base64 --decode > ~/.ssh/build_instance_key
chmod 600 ~/.ssh/build_instance_key
#############
# Run
#############
- name: Run
env:
# We need to pass these creds to start the AWS ec2 instance.
# They are not injected into that instance. Instead, it has minimal
# creds for being able to upload to cache.
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
REF_NAME: repo-fork/${{ github.repository }}/${{ github.head_ref }}
# We only test on amd64.
ARCH: amd64
LOG_ID: ${{ github.run_id }}
run: |
./ci.sh ec2