chore: add cache dependencies action

[cedoor]

This PR improves our CI reliability and performance by standardizing toolchain versions and tightening caching behavior.

• Add cache-dependencies action and integrate it into workflows.
• Upgrade Node setup action to v4 and expose Node/Rust versions via env for consistency.
• Improve Rust dependency caching and fix the cache-dependencies action logic.

Summary by CodeRabbit

• Chores
  • Improved CI/CD infrastructure with centralized version management for Node.js and Rust toolchains.
  • Enhanced dependency caching strategy across build and test workflows for improved efficiency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
crisp	Ready	Preview, Comment	Dec 16, 2025 10:58am
enclave-docs	Ready	Preview, Comment	Dec 16, 2025 10:58am

[coderabbitai]

Walkthrough

This PR introduces a new GitHub Actions composite action to cache Rust dependencies and updates CI workflows to use centralized version parameters. The cache-dependencies action normalizes target paths, computes cache scope via SHA256 hashing, and uses actions/cache@v4. CI workflows now use environment-based version parameters for Node.js and Rust toolchains.

Changes

Cohort / File(s)	Summary
GitHub Actions Cache Infrastructure \.github/actions/cache-dependencies/action\.yml	New composite action that caches Rust dependencies (Cargo registry, Git deps, target directory). Accepts cargo-lock-path and rust-target-path inputs, computes cache scope by normalizing and hashing the target path, and exposes scope via output. Uses actions/cache@v4 with cache key composed of rust-deps-${scope}- and Cargo.lock hash.
CI Workflow Updates \.github/workflows/ci\.yml	Replaces ad-hoc caching and setup sequences with centralized, environment-parameterized configuration. Introduces NODE_VERSION and RUST_TOOLCHAIN environment defaults; upgrades to actions/setup-node@v4 with pnpm caching; replaces individual Cargo cache steps with unified cache-dependencies action across multiple jobs; updates Rust toolchain specifiers to use environment variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

• Cache scope computation logic in the new action (SHA256 hashing and path normalization)
• Integration consistency of cache-dependencies action across multiple workflow jobs
• Version parameter propagation throughout ci.yml to verify centralization is complete and consistent
• Verify cache key patterns and restore-key fallbacks work as intended

Possibly related PRs

• chore: speed up ci workflow #1082: Centralizes Rust dependency caching with a dedicated cache step keyed by Cargo.lock, directly related to the cache-dependencies action approach.
• Update github actions workflow versions #250: Updates GitHub Actions workflows and caching setup, including actions/cache@v4 upgrades similar to this PR's infrastructure changes.

Suggested reviewers

• ctrlc03
• 0xjei
• hmzakhalid

Poem

🐰 Hops through cache so bright and fleet,
Rust deps bundled, oh so neat!
SHA hashes dancing in the night,
Workflows cached with pure delight!
Actions stacked like carrots tall,
CI pipelines spring through it all! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: introducing a new cache dependencies GitHub Actions composite action, which is the main focus of the modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/improvements-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/actions/cache-dependencies/action.yml (1)

17-31: Consider declaring the scope output in the action metadata.

The step computes and writes scope to $GITHUB_OUTPUT, but the action doesn't declare an outputs section. If you intend for callers to access this value, you should explicitly declare it.

+outputs:
+  scope:
+    description: Computed cache scope (SHA256 hash of normalized target path)
+    value: ${{ steps.cache-key.outputs.scope }}
+
 runs:
   using: composite
   steps:

If the output is purely internal for cache key composition (which appears to be the case), you can safely ignore this suggestion.

.github/workflows/ci.yml (1)

22-23: Centralized version management improves maintainability, but consider using stable Noir toolchain.

Using environment variables for NODE_VERSION and RUST_TOOLCHAIN ensures consistent versions across jobs and simplifies updates. However, the Noir toolchain is pinned to v1.0.0-beta.15 at lines 286-288 and other locations (438-439, 522-523, 572-573). Consider using toolchain: stable instead to align with your stated preference for stable Noir toolchains while maintaining the updated noirup action version (v0.1.4).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70913fd and 1228976.

📒 Files selected for processing (2)

• .github/actions/cache-dependencies/action.yml (1 hunks)
• .github/workflows/ci.yml (18 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 476
File: .github/workflows/releases.yml:29-37
Timestamp: 2025-06-05T14:10:25.539Z
Learning: In GitHub Actions workflows for release-plz, the user prefers to keep the version explicitly pinned (e.g., version: "0.3.83") rather than allowing dynamic version inference, for stability and reproducibility.

📚 Learning: 2025-08-27T13:49:03.811Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:42.967Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs:274-274
Timestamp: 2024-10-23T01:59:42.967Z
Learning: In the `packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs` file and other test files within this project, hardcoding `CIPHERNODE_SECRET` is acceptable for testing purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-10-10T12:56:40.538Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 830
File: templates/default/README.md:123-128
Timestamp: 2025-10-10T12:56:40.538Z
Learning: In the Enclave repository, the hard-coded Hardhat development private key `0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80` is acceptable in template README files and documentation for local testing/interaction purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T02:03:02.008Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/keyshare/src/encryption.rs:45-45
Timestamp: 2024-10-23T02:03:02.008Z
Learning: In the `packages/ciphernode/keyshare/src/encryption.rs` file, the environment variable `CIPHERNODE_SECRET` is used for the encryption password. A secure secret management solution is not currently available, but may be considered in future iterations.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:27.215Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: tests/basic_integration/test.sh:21-21
Timestamp: 2024-10-23T01:59:27.215Z
Learning: In `tests/basic_integration/test.sh`, the hardcoded `CIPHERNODE_SECRET` is acceptable for testing purposes and does not need to be changed.

Applied to files:

• .github/workflows/ci.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Validate PR Title
• GitHub Check: build_e3_support_dev
• GitHub Check: crisp_unit
• GitHub Check: build_sdk
• GitHub Check: integration_prebuild
• GitHub Check: build_enclave_cli
• GitHub Check: test_net
• GitHub Check: rust_unit
• GitHub Check: rust_integration

🔇 Additional comments (7)

.github/actions/cache-dependencies/action.yml (1)

1-41: Well-structured composite action with good cross-platform handling.

The implementation correctly handles path normalization and provides fallback between sha256sum (Linux) and shasum (macOS). The cache key strategy using the target path hash as scope is a solid approach for isolating caches.

.github/workflows/ci.yml (6)

39-41: Cache action placement before toolchain installation is correct.

Caching before installing the Rust toolchain allows the cache to be restored before compilation, maximizing cache hits.

---

60-66: Node.js setup with pnpm caching is well-configured.

The configuration correctly uses cache: 'pnpm' with cache-dependency-path: pnpm-lock.yaml for efficient dependency caching.

---

285-288: Nargo toolchain version is pinned to a beta version.

The Nargo toolchain uses v1.0.0-beta.15. Based on learnings, the preference was to use "stable" toolchain with noir-lang/noirup for Noir circuits. Consider whether this pinned beta version is intentional for compatibility reasons.

If v1.0.0-beta.15 is required for compatibility with specific circuit features, this is fine. Otherwise, consider using stable as the toolchain value.

---

424-428: CRISP-specific cache configuration correctly isolates the workspace.

Using custom cargo-lock-path and rust-target-path for the CRISP example workspace ensures isolated caching and prevents conflicts with the main workspace cache.

---

605-609: Template workspace cache configuration is correctly isolated.

Similar to CRISP, the templates/default workspace uses its own Cargo.lock and target/ paths for proper cache isolation.

---

337-347: ciphernode_integration_test installs Rust but doesn't cache dependencies.

This job installs Rust but doesn't use the cache-dependencies action, while similar jobs do. Since this job downloads build artifacts rather than compiling, this is likely intentional to save setup time.

If the job performs any Cargo operations (like running tests with cargo), consider adding the cache action for potential speedup. If it only uses pre-built binaries, the current setup is appropriate.