chore: improve ci workflows

[cedoor]

Updates CI to pin the Noir toolchain, add a dedicated CRISP SDK build + artifact upload job, and make CRISP unit/E2E tests reuse those artifacts (and drop unnecessary installs), plus a small cleanup to the CRISP E2E test runner script.

Saved around 2/3 mins.

Summary by CodeRabbit

• Chores

  • Centralized toolchain configuration via a new environment variable and updated pipeline steps.
  • Added a dedicated build job for Crisp SDK artifacts and integrated artifact upload/download across jobs.
  • Reworked job dependencies to ensure SDK artifacts are built before tests and integrations.

• Tests

  • Streamlined test execution flow and simplified end-to-end startup commands for faster CI feedback.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
crisp	Ready	Preview, Comment	Dec 16, 2025 5:49pm
enclave-docs	Ready	Preview, Comment	Dec 16, 2025 5:49pm

[coderabbitai]

Walkthrough

Introduces NOIR_TOOLCHAIN env var in CI, replaces hard-coded Noir toolchain references, removes some early Rust setup steps, adds a new build_crisp_sdk job and artifact handling, updates job dependencies (crisp_unit, crisp_e2e), and simplifies CRISP SDK test and e2e scripts.

Changes

Cohort / File(s)	Summary
CI workflow & toolchain .github/workflows/ci.yml	Added NOIR_TOOLCHAIN env var; replaced hard-coded Noir toolchain references with ${{ env.NOIR_TOOLCHAIN }}; removed redundant Rust cache/install steps in an early job; adjusted Noir installation steps to use the env var.
New SDK build job & artifact flow .github/workflows/ci.yml	Added build_crisp_sdk job to build/publish CRISP SDK artifacts; added artifact upload/download steps; updated job dependencies so crisp_unit and crisp_e2e depend on build_crisp_sdk; integrated SDK artifacts into downstream jobs.
CRISP SDK package test script examples/CRISP/packages/crisp-sdk/package.json	Simplified scripts.test from "pnpm build:wasm && pnpm compile:circuit && vitest --run" to "vitest --run", removing pre-test build/compile steps.
CRISP e2e script examples/CRISP/scripts/test_e2e.sh	Removed setup.sh from the concurrently parallel execution; now runs only dev.sh in the concurrent phase and retains the wait-on/playwright sequence.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant BuildSDK as build_crisp_sdk (Job)
    participant BuildEnclave as build_enclave_cli (Job)
    participant Unit as crisp_unit (Job)
    participant E2E as crisp_e2e (Job)
    participant Artifacts as Artifact Storage

    GHA->>BuildSDK: trigger (uses NOIR_TOOLCHAIN)
    BuildSDK->>BuildSDK: build SDK, compile circuits
    BuildSDK->>Artifacts: upload crisp-sdk-artifacts

    GHA->>BuildEnclave: trigger
    BuildEnclave->>Artifacts: upload enclave-artifacts

    GHA->>Unit: trigger (needs: build_crisp_sdk)
    Artifacts->>Unit: download crisp-sdk-artifacts
    Unit->>Unit: run tests (vitest --run)
    Unit->>Artifacts: upload unit artifacts

    GHA->>E2E: trigger (needs: build_enclave_cli, build_crisp_sdk)
    Artifacts->>E2E: download SDK & enclave artifacts
    E2E->>E2E: prepare env, run dev.sh and e2e tests

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

• Review areas needing extra attention:
  • Artifact upload/download paths and names in .github/workflows/ci.yml
  • Job needs dependency graph involving build_crisp_sdk, build_enclave_cli, crisp_unit, and crisp_e2e
  • Changes to Noir toolchain references to ensure correct propagation to all Noir/Nargo install steps

Possibly related PRs

• chore: add crisp sdk and circuits tests to ci #980 — Modifies CRISP CI and SDK test/build integration (workflows and scripts).
• test: add sdk tests to ci #742 — Adds/adjusts CI flow to build/publish SDK artifacts, similar artifact/job changes.
• fix: add some stability improvements to crisp_e2e test #936 — Touches the same CRISP end-to-end test scripts (test_e2e.sh), overlapping changes.

Suggested reviewers

• ctrlc03

Poem

🐰 I hopped through CI with a curious twitch,
NOIR_TOOLCHAIN tucked in my little stitch.
Built the SDK, left the old steps behind,
Tests run simpler — neat and streamlined.
Cheers from a rabbit, code and carrots aligned 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: improve ci workflows' is vague and generic, using non-descriptive phrasing that doesn't convey the specific changes made in the PR.	Consider a more specific title such as 'chore: pin Noir toolchain and add CRISP SDK build job' to better reflect the main improvements.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/improvements-3

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29ca7ce and 189372c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (10 hunks)

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

📚 Learning: 2025-08-27T13:49:03.811Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-10-10T12:56:40.538Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 830
File: templates/default/README.md:123-128
Timestamp: 2025-10-10T12:56:40.538Z
Learning: In the Enclave repository, the hard-coded Hardhat development private key `0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80` is acceptable in template README files and documentation for local testing/interaction purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:42.967Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs:274-274
Timestamp: 2024-10-23T01:59:42.967Z
Learning: In the `packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs` file and other test files within this project, hardcoding `CIPHERNODE_SECRET` is acceptable for testing purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:27.215Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: tests/basic_integration/test.sh:21-21
Timestamp: 2024-10-23T01:59:27.215Z
Learning: In `tests/basic_integration/test.sh`, the hardcoded `CIPHERNODE_SECRET` is acceptable for testing purposes and does not need to be changed.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T02:03:02.008Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/keyshare/src/encryption.rs:45-45
Timestamp: 2024-10-23T02:03:02.008Z
Learning: In the `packages/ciphernode/keyshare/src/encryption.rs` file, the environment variable `CIPHERNODE_SECRET` is used for the encryption password. A secure secret management solution is not currently available, but may be considered in future iterations.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-11-05T14:12:57.814Z

Learnt from: ctrlc03
Repo: gnosisguild/enclave PR: 963
File: examples/CRISP/client/package.json:25-25
Timestamp: 2025-11-05T14:12:57.814Z
Learning: In the Enclave/CRISP codebase, `enclave-e3/sdk` and `crisp-e3/sdk` are different packages: `enclave-e3/sdk` is the general Enclave SDK, while `crisp-e3/sdk` is the CRISP-specific SDK. The CRISP client (`examples/CRISP/client`) intentionally depends on `enclave-e3/sdk`, not `crisp-e3/sdk`.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-08-25T10:28:56.174Z

Learnt from: ctrlc03
Repo: gnosisguild/enclave PR: 657
File: Cargo.toml:32-34
Timestamp: 2025-08-25T10:28:56.174Z
Learning: The examples/CRISP directory has its own Cargo.toml workspace configuration with members like "server", "wasm-crypto", "program/core", "program/client", etc. The root workspace intentionally excludes "examples/CRISP/server", "examples/CRISP/program", and "examples/CRISP/wasm-crypto" to prevent double workspace membership, which is the correct approach for self-contained example workspaces.

Applied to files:

• .github/workflows/ci.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: build_crisp_sdk
• GitHub Check: test_net
• GitHub Check: build_sdk
• GitHub Check: rust_integration
• GitHub Check: integration_prebuild
• GitHub Check: rust_unit
• GitHub Check: build_enclave_cli

🔇 Additional comments (4)

.github/workflows/ci.yml (4)

24-24: Pinning Noir toolchain conflicts with past preferences.

Based on learnings, you previously preferred using "stable" toolchain with the noir-lang/noirup action rather than pinning to specific versions (like 1.0.0-beta.11), and preferred updating the noirup action version to get tooling improvements. The current change pins to v1.0.0-beta.15, which may introduce maintenance overhead when new versions are released.

Consider whether pinning is necessary for this use case, or if "stable" would still be preferable.

---

410-410: LGTM! Job dependencies correctly updated.

The dependency additions ensure that crisp_unit and crisp_e2e jobs wait for the build_crisp_sdk job to complete before running, which aligns with the artifact reuse strategy to avoid redundant builds.

Also applies to: 483-483

---

447-467: LGTM! Artifact reuse optimization implemented correctly.

The changes properly implement the artifact reuse strategy:

1. Building Enclave contracts from root ensures dependencies are available
2. Downloading pre-built CRISP SDK artifacts avoids redundant builds
3. The artifact path and naming are consistent with the build_crisp_sdk job

This should deliver the 2-3 minute CI time savings mentioned in the PR description.

Also applies to: 479-479

---

524-552: LGTM! E2E test preparation steps are well-structured.

The changes properly set up the E2E test environment:

1. Enclave contracts are built from root as dependencies
2. CRISP contracts are compiled separately for the E2E environment
3. Environment files are properly initialized from examples
4. Server and CLI binaries are built with --locked for reproducibility
5. Pre-built SDK artifacts are downloaded to avoid redundant builds

The flow is logical and should work correctly with the new build_crisp_sdk job.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

24-24: Consider using "stable" toolchain instead of pinned version.

Based on learnings from this repo, the preference has been to use "stable" toolchain with noir-lang/noirup rather than pinning to specific versions. If there's a specific reason for pinning to v1.0.0-beta.15 (e.g., compatibility requirements with the circuits), please document it in a comment.

---

736-736: Consider using error instead of warn for artifact upload.

Using if-no-files-found: warn could mask build failures. If the SDK build fails to produce artifacts, downstream jobs (crisp_unit, crisp_e2e) will fail with unclear errors when trying to download missing artifacts.

-          if-no-files-found: warn
+          if-no-files-found: error

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d85bab and 29ca7ce.

📒 Files selected for processing (3)

• .github/workflows/ci.yml (10 hunks)
• examples/CRISP/packages/crisp-sdk/package.json (1 hunks)
• examples/CRISP/scripts/test_e2e.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

📚 Learning: 2024-09-26T04:26:00.779Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 107
File: tests/basic_integration/test.sh:142-142
Timestamp: 2024-09-26T04:26:00.779Z
Learning: In the `tests/basic_integration/test.sh` script, using fixed sleep durations is acceptable, and adding more complex waiting mechanisms may introduce unnecessary complexity for the test.

Applied to files:

• examples/CRISP/scripts/test_e2e.sh

📚 Learning: 2025-10-29T23:35:30.146Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 936
File: scripts/run-crisp-test.sh:1-3
Timestamp: 2025-10-29T23:35:30.146Z
Learning: In the scripts/run-crisp-test.sh file, the use of `rm -rf *` is acceptable as it's intentionally designed as a definitive reset-and-test script for clean checkouts.

Applied to files:

• examples/CRISP/scripts/test_e2e.sh

📚 Learning: 2024-09-26T04:12:09.345Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 107
File: tests/basic_integration/test.sh:103-114
Timestamp: 2024-09-26T04:12:09.345Z
Learning: In `tests/basic_integration/test.sh`, the user prefers not to refactor the ciphernode addition section to reduce duplication.

Applied to files:

• examples/CRISP/scripts/test_e2e.sh

📚 Learning: 2024-09-26T04:15:32.544Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 107
File: tests/basic_integration/test.sh:81-83
Timestamp: 2024-09-26T04:15:32.544Z
Learning: In `tests/basic_integration/test.sh`, it's acceptable to wait indefinitely for the EVM node to start without a timeout, as it's unlikely to fail here.

Applied to files:

• examples/CRISP/scripts/test_e2e.sh

📚 Learning: 2025-08-27T13:49:03.811Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-10-10T12:56:40.538Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 830
File: templates/default/README.md:123-128
Timestamp: 2025-10-10T12:56:40.538Z
Learning: In the Enclave repository, the hard-coded Hardhat development private key `0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80` is acceptable in template README files and documentation for local testing/interaction purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:42.967Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs:274-274
Timestamp: 2024-10-23T01:59:42.967Z
Learning: In the `packages/ciphernode/tests/tests/test_aggregation_and_decryption.rs` file and other test files within this project, hardcoding `CIPHERNODE_SECRET` is acceptable for testing purposes.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T01:59:27.215Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: tests/basic_integration/test.sh:21-21
Timestamp: 2024-10-23T01:59:27.215Z
Learning: In `tests/basic_integration/test.sh`, the hardcoded `CIPHERNODE_SECRET` is acceptable for testing purposes and does not need to be changed.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2024-10-23T02:03:02.008Z

Learnt from: ryardley
Repo: gnosisguild/enclave PR: 156
File: packages/ciphernode/keyshare/src/encryption.rs:45-45
Timestamp: 2024-10-23T02:03:02.008Z
Learning: In the `packages/ciphernode/keyshare/src/encryption.rs` file, the environment variable `CIPHERNODE_SECRET` is used for the encryption password. A secure secret management solution is not currently available, but may be considered in future iterations.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-11-05T14:12:57.814Z

Learnt from: ctrlc03
Repo: gnosisguild/enclave PR: 963
File: examples/CRISP/client/package.json:25-25
Timestamp: 2025-11-05T14:12:57.814Z
Learning: In the Enclave/CRISP codebase, `enclave-e3/sdk` and `crisp-e3/sdk` are different packages: `enclave-e3/sdk` is the general Enclave SDK, while `crisp-e3/sdk` is the CRISP-specific SDK. The CRISP client (`examples/CRISP/client`) intentionally depends on `enclave-e3/sdk`, not `crisp-e3/sdk`.

Applied to files:

• .github/workflows/ci.yml

📚 Learning: 2025-08-25T10:28:56.174Z

Learnt from: ctrlc03
Repo: gnosisguild/enclave PR: 657
File: Cargo.toml:32-34
Timestamp: 2025-08-25T10:28:56.174Z
Learning: The examples/CRISP directory has its own Cargo.toml workspace configuration with members like "server", "wasm-crypto", "program/core", "program/client", etc. The root workspace intentionally excludes "examples/CRISP/server", "examples/CRISP/program", and "examples/CRISP/wasm-crypto" to prevent double workspace membership, which is the correct approach for self-contained example workspaces.

Applied to files:

• .github/workflows/ci.yml

🔇 Additional comments (6)

examples/CRISP/scripts/test_e2e.sh (1)

17-17: LGTM! Simplified concurrent execution aligns with the new artifact-based workflow.

The removal of setup.sh from the parallel execution is consistent with the CI changes where the build_crisp_sdk job now handles SDK building separately. This simplifies the E2E test script by relying on pre-built artifacts.

Note that when running locally, developers must ensure the SDK artifacts exist (via pnpm build:sdk or similar) before executing this script.

examples/CRISP/packages/crisp-sdk/package.json (1)

27-27: LGTM! Test script simplified to assume pre-built artifacts.

The removal of build steps from the test script is appropriate given the CI workflow now builds artifacts separately in the build_crisp_sdk job. For local development, developers should run pnpm build (line 26) before running tests.

.github/workflows/ci.yml (4)

408-410: LGTM! Job dependency correctly updated.

The crisp_unit job now properly depends on build_crisp_sdk, ensuring artifacts are available before tests run.

---

481-483: LGTM! Job dependencies correctly updated for E2E tests.

The crisp_e2e job now depends on both build_enclave_cli and build_crisp_sdk, ensuring all required binaries and SDK artifacts are available.

---

463-467: LGTM! Artifact download step correctly configured.

The download path (./examples/CRISP) matches the artifact upload paths from build_crisp_sdk, ensuring files are restored to the correct locations.

---

723-725: The pnpm build:sdk script exists but only builds the crisp-sdk package.

The script in examples/CRISP/package.json is defined as "pnpm -C packages/crisp-sdk build". This only builds the crisp-sdk package in isolation. Circuits are compiled separately via the compile:circuits script, not as part of build:sdk.

Likely an incorrect or invalid review comment.

[ctrlc03]

LGTM