Skip to content
CI3 (External)

chore: Bump Noir reference #29864

Sign in to view logs

chore: Bump Noir reference

chore: Bump Noir reference #29864

Workflow file for this run

.github/workflows/ci3-external.yml at e37cb71
# CI for external Aztec contributors. Like ci3.yml, but more locked down.
#
# CAREFUL! We use "exec" a lot to ensure signal propagation to the child process, to allow proper ec2 cleanup.
name: CI3 (External)
on:
# This check is skipped in merge queue, but we need it to run (even skipped) for status checks.
merge_group:
# Run with pull_request_target for external devs. This forces them to use this workflow as-is.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, labeled]
concurrency:
# Only allow one run per <forked-repo>/<branch> and full concurrency on merge queue.
group: |
ci3-external-${{ github.event_name == 'pull_request' && format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.head_ref)
|| github.run_id }}
cancel-in-progress: true
jobs:
ci-external:
runs-on: ubuntu-latest
# exclusive with ci3.yml, only run on forks.
if: github.event.pull_request.head.repo.fork
steps:
#############
# Prepare Env
#############
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# The commit to checkout. We want our actual commit, and not the result of merging the PR to the target.
ref: ${{ github.event.pull_request.head.sha || github.sha }}
persist-credentials: false
# NOTE: in ci3.yml we just rely on draft mode not being mergable.
# Here we are a little more careful than just skipping the worklfow, in case of an edge case allowing merge.
- name: Fail If Draft
if: github.event.pull_request.draft
run: echo "CI is not run on drafts." && exit 1
- name: External Contributor Checks
# Run only if a pull request event type and we have a forked repository origin.
run: |
set -o pipefail
git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 &>/dev/null
forbidden_changes=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD -- ci3 .github ci.sh scripts)
if echo "$forbidden_changes" | grep -q .; then
echo "Error: External PRs can't contain CI changes (forbidden files: $forbidden_changes)."
exit 1
fi
if [[ "${{ github.event.pull_request.base.ref }}" != "master" && \
"${{ github.event.pull_request.base.ref }}" != "staging" && \
"${{ github.event.pull_request.base.ref }}" != "next" && \
"${{ github.event.pull_request.base.ref }}" != merge-train/* ]]; then
echo "Error: External PRs can only target master, staging, next or merge-train/* branches. Targeted: ${{ github.event.pull_request.base.ref }}."
exit 1
fi
labeled="${{contains(github.event.pull_request.labels.*.name, 'ci-external') || github.event.label.name == 'ci-external-once'}}"
if [ "$labeled" = false ]; then
echo "External PRs need the 'ci-external' or 'ci-external-once' labels to run."
exit 1
fi
# Remove any ci-external-once labels.
GITHUB_TOKEN=${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} gh pr edit ${{ github.event.pull_request.number }} --remove-label "ci-external-once"
- name: CI Merge Queue Override (grind on PR)
if: contains(github.event.pull_request.labels.*.name, 'ci-merge-queue')
run: echo "CI_MERGE_QUEUE=1" >> $GITHUB_ENV
- name: CI Full Override
if: contains(github.event.pull_request.labels.*.name, 'ci-full')
run: echo "CI_FULL=1" >> $GITHUB_ENV
- name: Cache Override
if: contains(github.event.pull_request.labels.*.name, 'ci-no-cache')
run: echo "NO_CACHE=1" >> $GITHUB_ENV
- name: Fail Fast Override
if: contains(github.event.pull_request.labels.*.name, 'ci-no-fail-fast')
run: echo "NO_FAIL_FAST=1" >> $GITHUB_ENV
- name: Setup
run: |
# Ensure we can SSH into the spot instances we request.
mkdir -p ~/.ssh
echo ${{ secrets.BUILD_INSTANCE_SSH_KEY }} | base64 --decode > ~/.ssh/build_instance_key
chmod 600 ~/.ssh/build_instance_key
- name: Get Tree Hash
run: echo "TREE_HASH=$(git rev-parse HEAD^{tree})" >> $GITHUB_ENV
- name: Check CI Cache
id: ci_cache
uses: actions/cache@v3
with:
path: ci-success.txt
key: ci-external-${{ env.TREE_HASH }}
#############
# Run
#############
- name: Run
if: steps.ci_cache.outputs.cache-hit != 'true'
env:
# We need to pass these creds to start the AWS ec2 instance.
# They are not injected into that instance. Instead, it has minimal
# creds for being able to upload to cache.
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
REF_NAME: repo-fork/${{ github.repository }}/${{ github.head_ref }}
# We only test on amd64.
ARCH: amd64
RUN_ID: ${{ github.run_id }}
run: |
if [ "${CI_MERGE_QUEUE:-0}" -eq 1 ]; then
exec ./ci.sh merge-queue
elif [ "${CI_FULL:-0}" -eq 1 ]; then
exec ./ci.sh full
else
exec ./ci.sh fast
fi
- name: Save CI Success
if: steps.ci_cache.outputs.cache-hit != 'true'
run: echo "success" > ci-success.txt
# If we have passed CI and labelled with ci-squash-and-merge, squash the PR.
# This will rerun CI on the squash commit - but is intended to be a no-op due to caching.
- name: CI Squash and Merge
if: contains(github.event.pull_request.labels.*.name, 'ci-squash-and-merge')
env:
GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
run: |
# Reauth the git repo with our GITHUB_TOKEN
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}
# Get the base commit (merge-base) for the PR
./scripts/merge-train/squash-pr.sh \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.head.ref }}" \
"${{ github.event.pull_request.base.ref }}" \
"${{ github.event.pull_request.base.sha }}"
gh pr edit "${{ github.event.pull_request.number }}" --remove-label "ci-squash-and-merge"
gh pr merge "${{ github.event.pull_request.number }}" --auto -m || true