fix: simplify CI and integration test timeout

[ctrlc03]

Summary by CodeRabbit

• Chores
  • CI now detects changed areas and gates many workflows with a new detect_changes job to avoid unnecessary runs.
• Tests
  • Added timeout support to integration helpers and tests to prevent hangs; increased default wait durations.
  • waitForEvent and test wait helpers now accept an optional timeout parameter for predictable failures.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Mar 12, 2026 3:19pm
enclave-docs	Ready	Preview, Comment	Mar 12, 2026 3:19pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions detect_changes job that computes per-path boolean outputs and gates ~16 downstream CI jobs; updates integration test helpers to add timeout handling (JS waitForEvent and shell waiton) and increases test durations.

Changes

Cohort / File(s)	Summary
CI workflow / detect_changes ​.github/workflows/ci.yml	Adds detect_changes job with path filters and a Compute step emitting ~16 boolean outputs; many downstream jobs now needs: detect_changes and are gated with if: needs.detect_changes.outputs.<name> == 'true'.
CI jobs (gated updates) ​.github/workflows/ci.yml	Converts multiple existing jobs to conditional execution (e.g., rust_tests, zk_prover_integration, build_e3_support_*, build_ciphernode_image, test_contracts, test_net, integration_prebuild, ciphernode_integration_test, build_sdk, build_crisp_sdk, template_integration, test_enclave_init, crisp_unit, crisp_e2e); adds temporary false branches and artifact-sharing TODOs.
Integration tests (TypeScript) templates/default/tests/integration.spec.ts	Extends waitForEvent signature with optional timeoutMs; replaces once with explicit handler registration/removal; adds timeout-based rejection and single-resolution guarding; increases duration values to 600 and passes timeouts to event waits.
Integration tests (Shell) tests/integration/fns.sh	waiton now accepts an optional timeout (default 600s), records start_time, checks elapsed time each loop, prints timeout message to stderr, and exits non‑zero on timeout.

Sequence Diagram(s)

sequenceDiagram
    rect rgba(200,200,255,0.5)
    actor Developer
    end
    rect rgba(200,255,200,0.5)
    participant GH as "GitHub Actions"
    participant Detect as "detect_changes job"
    participant Compute as "Compute step"
    participant Jobs as "Downstream CI jobs"
    end

    Developer->>GH: push / open PR
    GH->>Detect: start detect_changes
    Detect->>Compute: evaluate path filters
    Compute->>Detect: emit boolean outputs
    Detect->>Jobs: provide outputs via needs.outputs
    Jobs->>Jobs: conditional execution if outputs == "true"
    Jobs-->>GH: report results / artifacts

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: add crisp sdk and circuits tests to ci #980: Overlaps CI workflow changes around CRISP jobs and build_crisp_sdk gating.
• fix: increase integration test ci duration #1198: Alters the same waitForEvent implementation and test timing in templates/default/tests/integration.spec.ts.
• feat: enable trbfv on the ciphernodes #1194: Modifies integration test scripts (integration.spec.ts and tests/integration/fns.sh) with similar wait/timeout behavior.

Suggested reviewers

• cedoor
• hmzakhalid

Poem

🐰 I hop the repo, sniff each change,

I count the paths across the range.
Timers set, events await,
CI gates click, builds calibrate.
Hoppity tests—deliveries on date 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix: simplify CI and integration test timeout' accurately captures the main changes: CI workflow restructuring with path-filtering logic and integration test timeout improvements across three files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ci-simplification

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

7-12: ⚠️ Potential issue | 🔴 Critical

Restore a push trigger for post-merge automation.

With only workflow_dispatch and pull_request, this workflow never runs on branch pushes. That makes the github.ref == 'refs/heads/main' paths unreachable after merge, including the image publish steps and contrib-readme-job.

🔧 Suggested fix

 on:
   workflow_dispatch:
+  push:
+    branches:
+      - main
+      - dev
   pull_request:
     branches:
       - main
       - dev

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 7 - 12, The workflow's triggers only
include workflow_dispatch and pull_request so post-merge branch pushes never
run; restore a push trigger by adding "push" with the same branch list (main and
dev) under the existing "on:" block so jobs that check github.ref ==
'refs/heads/main' (e.g., image publish and contrib-readme-job) will execute
after merges; update the on: section to include pull_request, workflow_dispatch
and push (branches: - main - dev).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 100-114: The ciphernode_e2e output flag is enabled for INTEGRATION
and CIRCUITS but the dependent producer flags build_sdk and integration_prebuild
do not include the same path conditions, allowing ciphernode_integration_test to
run while its producers are skipped; update the echo expressions for build_sdk
and integration_prebuild so their any(...) calls include the same variables as
ciphernode_e2e (specifically include INTEGRATION and CIRCUITS where appropriate)
to ensure build_sdk and integration_prebuild are selected whenever
ciphernode_e2e/ciphernode_integration_test are selected.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 7-12: The workflow's triggers only include workflow_dispatch and
pull_request so post-merge branch pushes never run; restore a push trigger by
adding "push" with the same branch list (main and dev) under the existing "on:"
block so jobs that check github.ref == 'refs/heads/main' (e.g., image publish
and contrib-readme-job) will execute after merges; update the on: section to
include pull_request, workflow_dispatch and push (branches: - main - dev).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a2a33b65-bbe8-4d96-b084-2581ee2ef8bd

📥 Commits

Reviewing files that changed from the base of the PR and between e4ecbec and fcfc8d9.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• templates/default/tests/integration.spec.ts
• tests/integration/fns.sh

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

455-456: build_enclave_cli now bypasses the new pruning logic.

All of its current consumers are already gated by detect_changes, so keeping this job unconditional still pays for a full CLI build on PRs where none of those consumers can run. Consider deriving a build_enclave_cli flag from the union of those consumer conditions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 455 - 456, The build_enclave_cli job
is unconditional and bypasses pruning; change it to run only when any of its
consumers would run by deriving a boolean flag (e.g., build_enclave_cli_needed)
from the union of the existing detect_changes conditions used by its consumer
jobs, then add an if: condition on the build_enclave_cli job to reference that
flag; update any outputs or matrix entries the consumers expect so they still
find the artifact when the job runs. Ensure you reference and reuse the existing
detect_changes outputs/expressions so the new flag accurately reflects the
consumers' gating logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 98-114: The job filter lines call the helper any() with unquoted
variable expansions (e.g., any $FORCE $RUST $CONTRACTS ...) causing SC2086
word-splitting and also append to GITHUB_OUTPUT with many separate >> redirects
(SC2129); fix by quoting each argument when calling any (e.g., any "$FORCE"
"$RUST" "$CONTRACTS" ...) and collapse the multiple echo >> "$GITHUB_OUTPUT"
statements into a single grouped redirect (for example wrap all echo lines in {
...; } >> "$GITHUB_OUTPUT" or use a here-doc) so "$GITHUB_OUTPUT" is quoted and
writes occur with a single redirect.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 455-456: The build_enclave_cli job is unconditional and bypasses
pruning; change it to run only when any of its consumers would run by deriving a
boolean flag (e.g., build_enclave_cli_needed) from the union of the existing
detect_changes conditions used by its consumer jobs, then add an if: condition
on the build_enclave_cli job to reference that flag; update any outputs or
matrix entries the consumers expect so they still find the artifact when the job
runs. Ensure you reference and reuse the existing detect_changes
outputs/expressions so the new flag accurately reflects the consumers' gating
logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1ff50ba9-71ba-4690-a095-6aaa7617f9ff

📥 Commits

Reviewing files that changed from the base of the PR and between fcfc8d9 and 642d8f5.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• templates/default/tests/integration.spec.ts
• tests/integration/fns.sh

[0xjei]

utACK

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/ci.yml (1)

98-114: ⚠️ Potential issue | 🟠 Major

Compute job filters still has lint errors, and build_sdk is being overwritten.

actionlint/shellcheck will keep complaining about the unquoted any arguments and repeated redirects here, and Lines 101 and 110 both write build_sdk, so the narrower expression at Line 110 overrides the broader one from Line 101.

🔧 Suggested fix

           any() { for v in "$@"; do [ "$v" = "true" ] && echo "true" && return; done; echo "false"; }
-
-          echo "rust_tests=$(any $FORCE $RUST $CONTRACTS $CIRCUITS $CI)" >> $GITHUB_OUTPUT
-          echo "build_sdk=$(any "$FORCE" "$RUST" "$CONTRACTS" "$SDK" "$INTEGRATION" "$CIRCUITS" "$CI" "$TEMPLATES")" >> $GITHUB_OUTPUT
-          echo "crisp=$(any $FORCE $CRISP $CONTRACTS $CIRCUITS $RUST $CI)" >> $GITHUB_OUTPUT
-          echo "templates=$(any $FORCE $TEMPLATES $RUST $CONTRACTS $SDK $CI)" >> $GITHUB_OUTPUT
-          echo "zk=$(any $FORCE $RUST $CIRCUITS $CI)" >> $GITHUB_OUTPUT
-          echo "contracts=$(any $FORCE $CONTRACTS $CI)" >> $GITHUB_OUTPUT
-          echo "docker_support=$(any $FORCE $DOCKER $CI)" >> $GITHUB_OUTPUT
-          echo "docker_ciphernode=$(any $FORCE $RUST $CONTRACTS $DOCKER $CI)" >> $GITHUB_OUTPUT
-          echo "net=$(any $FORCE $INTEGRATION $CI)" >> $GITHUB_OUTPUT
-          echo "init=$(any $FORCE $TEMPLATES $RUST $CONTRACTS $CI)" >> $GITHUB_OUTPUT
-          echo "build_sdk=$(any $FORCE $RUST $CONTRACTS $SDK $CI $TEMPLATES)" >> $GITHUB_OUTPUT
-          echo "build_e3_support_dev=$(any $FORCE $TEMPLATES $RUST $CONTRACTS $SDK $CI)" >> $GITHUB_OUTPUT
-          echo "build_circuits=$(any $FORCE $RUST $CIRCUITS $CI)" >> $GITHUB_OUTPUT
-          echo "integration_prebuild=$(any "$FORCE" "$RUST" "$CONTRACTS" "$CIRCUITS" "$INTEGRATION" "$CI")" >> $GITHUB_OUTPUT
-          echo "zk_prover_integration=$(any $FORCE $RUST $CIRCUITS $CI)" >> $GITHUB_OUTPUT
+          {
+            echo "rust_tests=$(any "$FORCE" "$RUST" "$CONTRACTS" "$CIRCUITS" "$CI")"
+            echo "build_sdk=$(any "$FORCE" "$RUST" "$CONTRACTS" "$SDK" "$INTEGRATION" "$CIRCUITS" "$CI" "$TEMPLATES")"
+            echo "crisp=$(any "$FORCE" "$CRISP" "$CONTRACTS" "$CIRCUITS" "$RUST" "$CI")"
+            echo "templates=$(any "$FORCE" "$TEMPLATES" "$RUST" "$CONTRACTS" "$SDK" "$CI")"
+            echo "zk=$(any "$FORCE" "$RUST" "$CIRCUITS" "$CI")"
+            echo "contracts=$(any "$FORCE" "$CONTRACTS" "$CI")"
+            echo "docker_support=$(any "$FORCE" "$DOCKER" "$CI")"
+            echo "docker_ciphernode=$(any "$FORCE" "$RUST" "$CONTRACTS" "$DOCKER" "$CI")"
+            echo "net=$(any "$FORCE" "$INTEGRATION" "$CI")"
+            echo "init=$(any "$FORCE" "$TEMPLATES" "$RUST" "$CONTRACTS" "$CI")"
+            echo "build_e3_support_dev=$(any "$FORCE" "$TEMPLATES" "$RUST" "$CONTRACTS" "$SDK" "$CI")"
+            echo "build_circuits=$(any "$FORCE" "$RUST" "$CIRCUITS" "$CI")"
+            echo "integration_prebuild=$(any "$FORCE" "$RUST" "$CONTRACTS" "$CIRCUITS" "$INTEGRATION" "$CI")"
+            echo "zk_prover_integration=$(any "$FORCE" "$RUST" "$CIRCUITS" "$CI")"
+          } >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 98 - 114, The job filter block calls
any() with unquoted variables and also defines build_sdk twice causing the
second echo of "build_sdk" to overwrite the first; fix by passing all arguments
to any as quoted variables (e.g., change any $FORCE $RUST ... to any "$FORCE"
"$RUST" ... for every echo) and remove or rename the duplicate echo
"build_sdk=..." (keep the intended broader definition from the first build_sdk
echo and delete the narrower/duplicated one), referencing the any() function and
the two "build_sdk" echo lines to locate the edits.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 98-114: The job filter block calls any() with unquoted variables
and also defines build_sdk twice causing the second echo of "build_sdk" to
overwrite the first; fix by passing all arguments to any as quoted variables
(e.g., change any $FORCE $RUST ... to any "$FORCE" "$RUST" ... for every echo)
and remove or rename the duplicate echo "build_sdk=..." (keep the intended
broader definition from the first build_sdk echo and delete the
narrower/duplicated one), referencing the any() function and the two "build_sdk"
echo lines to locate the edits.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cea739eb-cb4a-4918-9dce-187536b7ed62

📥 Commits

Reviewing files that changed from the base of the PR and between 642d8f5 and c9ef829.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• templates/default/tests/integration.spec.ts
• tests/integration/fns.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• templates/default/tests/integration.spec.ts

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/ci.yml (2)

453-454: Consider gating build_enclave_cli to avoid unnecessary builds.

This job always runs regardless of path changes. While safe, it wastes CI resources when no downstream jobs (ciphernode_integration_test, crisp_e2e, template_integration, test_enclave_init) are triggered.

You could add a combined condition that runs build_enclave_cli only when at least one of its dependent jobs would run:

needs: [detect_changes]
if: >-
  needs.detect_changes.outputs.ciphernode_e2e == 'true' ||
  needs.detect_changes.outputs.crisp == 'true' ||
  needs.detect_changes.outputs.templates == 'true' ||
  needs.detect_changes.outputs.init == 'true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 453 - 454, The build_enclave_cli job
currently always runs; modify its job definition (job name: build_enclave_cli)
to depend on the detect_changes job and add a combined if condition so it only
runs when at least one downstream job would run — specifically add needs:
[detect_changes] and an if that checks
needs.detect_changes.outputs.ciphernode_e2e == 'true' ||
needs.detect_changes.outputs.crisp == 'true' ||
needs.detect_changes.outputs.templates == 'true' ||
needs.detect_changes.outputs.init == 'true', ensuring the job is gated by those
detect_changes outputs.

---

394-396: Track the removed base test suite.

The TODO indicates the base test was intentionally removed from the matrix. Consider creating an issue to track re-enabling it once the underlying issue is resolved.

Would you like me to help create an issue to track re-enabling the base test suite?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 394 - 396, Create a new issue to track
re-enabling the removed "base" test suite: reference the TODO and the CI matrix
change where "test-suite: [persist]" was left (and "base" removed), describe the
current state and failure that prompted removal, include steps to reproduce the
CI failure, any logs or PRs that led to the change, and propose a remediation
plan; tag the issue with labels like "ci" and "tests", assign to the team or
owner responsible for CI, and add a follow-up reminder to re-check and re-enable
the "base" suite once the underlying issue is fixed.

tests/integration/fns.sh (1)

68-77: Good timeout implementation with one shellcheck fix needed.

The timeout logic is well-designed with a sensible 600-second default. However, line 69 combines declaration and assignment, which masks the return value of date +%s (SC2155).

🔧 Proposed fix to separate declaration and assignment

 waiton() {
     local file_path="$1"
     local timeout="${2:-600}"  # default 10 minutes
-    local start_time=$(date +%s)
+    local start_time
+    start_time=$(date +%s)
     until [ -f "$file_path" ]; do
         if [ $(($(date +%s) - start_time)) -ge $timeout ]; then
             echo "Timeout after ${timeout}s waiting for: $file_path" >&2
             return 1
         fi
         sleep 1
     done
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/integration/fns.sh` around lines 68 - 77, Split the combined
declaration+assignment for start_time to satisfy shellcheck SC2155: replace the
single-line "local start_time=$(date +%s)" with a separate declaration and
assignment so you first declare local start_time and then set start_time=$(date
+%s); keep the rest of the timeout loop (the until [ -f "$file_path" ] loop and
timeout logic) unchanged and ensure you reference the same start_time variable
in the time comparison.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 453-454: The build_enclave_cli job currently always runs; modify
its job definition (job name: build_enclave_cli) to depend on the detect_changes
job and add a combined if condition so it only runs when at least one downstream
job would run — specifically add needs: [detect_changes] and an if that checks
needs.detect_changes.outputs.ciphernode_e2e == 'true' ||
needs.detect_changes.outputs.crisp == 'true' ||
needs.detect_changes.outputs.templates == 'true' ||
needs.detect_changes.outputs.init == 'true', ensuring the job is gated by those
detect_changes outputs.
- Around line 394-396: Create a new issue to track re-enabling the removed
"base" test suite: reference the TODO and the CI matrix change where
"test-suite: [persist]" was left (and "base" removed), describe the current
state and failure that prompted removal, include steps to reproduce the CI
failure, any logs or PRs that led to the change, and propose a remediation plan;
tag the issue with labels like "ci" and "tests", assign to the team or owner
responsible for CI, and add a follow-up reminder to re-check and re-enable the
"base" suite once the underlying issue is fixed.

In `@tests/integration/fns.sh`:
- Around line 68-77: Split the combined declaration+assignment for start_time to
satisfy shellcheck SC2155: replace the single-line "local start_time=$(date
+%s)" with a separate declaration and assignment so you first declare local
start_time and then set start_time=$(date +%s); keep the rest of the timeout
loop (the until [ -f "$file_path" ] loop and timeout logic) unchanged and ensure
you reference the same start_time variable in the time comparison.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ec737ba2-2f1d-41a3-86cf-f4acebe2039c

📥 Commits

Reviewing files that changed from the base of the PR and between c9ef829 and fb30e3e.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• templates/default/tests/integration.spec.ts
• tests/integration/fns.sh