chore: cancel workflow on lint/compile failures to save CI spend

[cedoor]

Summary

Adds early workflow cancellation when fast-feedback jobs detect lint, compile, or build errors, avoiding unnecessary CI spend on e2e tests that are guaranteed to fail.

What changed

• Added per-job permissions: { contents: read, actions: write } (required for gh run cancel) to each affected job
• Added a Cancel workflow on failure step (using gh run cancel) to four fast-feedback jobs:
  • rust_tests — catches Rust lint and compile errors
  • test_contracts — catches Solidity lint errors
  • build_circuits — catches Noir formatting and test errors
  • build_enclave_cli — catches Rust compile errors; this job always runs and is a dependency for 4 downstream jobs

Why only these four jobs?

Cancelling the entire run on any job failure would be too aggressive — it hides parallel failures, amplifies flaky tests, and can interrupt artifact uploads mid-flight. Instead, we only cancel on failures that represent "nothing else will pass either" signals: lint, compile, and core build errors.

Other build and e2e jobs are left untouched so that:

• Developers still see the full picture of what's broken in a single push
• Artifact uploads aren't interrupted
• Flaky tests in one job don't nuke unrelated results

What's NOT changed

• No existing job logic, conditions, or dependencies were modified
• Downstream chained jobs (ciphernode_integration_test, crisp_e2e, template_integration, etc.) already stop automatically via needs: when their upstream dependency fails
• detect_changes and contrib-readme-job are unaffected

Summary by CodeRabbit

• Chores
  • Improved CI/CD workflow configuration with enhanced job-level security controls and permissions, plus automatic workflow cancellation when failures are detected in build and test stages, enabling faster issue identification and more efficient use of build resources across the entire continuous integration pipeline while ensuring workflow stability and reliability throughout development cycles.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Mar 16, 2026 7:23pm
enclave-docs	Ready	Preview, Comment	Mar 16, 2026 7:23pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 00f95b8f-0cdc-4b37-9984-492075b4fc2e

📥 Commits

Reviewing files that changed from the base of the PR and between c77db66 and d677831.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

Added per-job GitHub Actions permissions (contents: read, actions: write) and inserted "Cancel workflow on failure" steps across multiple jobs in .github/workflows/ci.yml to trigger gh run cancel when key steps fail.

Changes

Cohort / File(s)	Summary
CI workflow file .github/workflows/ci.yml	Added permissions blocks (contents: read, actions: write) to several jobs; inserted multiple "Cancel workflow on failure" steps (runs gh run cancel ${GITHUB_RUN_ID} with GH_TOKEN) after key test/build steps across jobs such as rust_unit_tests, test_contracts, test_net, build_circuits, build_enclave_cli, build_ciphernode_image, crisp_unit, and others.

Sequence Diagram(s)

sequenceDiagram
  participant Job as Job Step (runner)
  participant GHCLI as gh CLI
  participant GHAPI as GitHub Actions API
  participant OtherJobs as Other Running Jobs

  Job->>GHCLI: detect step failure -> run `gh run cancel ${GITHUB_RUN_ID}` (uses GH_TOKEN)
  GHCLI->>GHAPI: Cancel workflow request (actions.write)
  GHAPI-->>OtherJobs: send cancellation signal
  OtherJobs-->>GHAPI: acknowledge cancellation / stop
  GHAPI-->>Job: confirm cancellation

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• refactor: add crisp e2e to ci.yml to reuse enclave-cli build #668 — Edits same CI workflow and touches build_enclave_cli, overlapping on job-level CI changes.
• chore: improve ci workflows #1113 — Also modifies .github/workflows/ci.yml and adjusts jobs like crisp_unit / related CI steps.

Suggested reviewers

• ryardley
• ctrlc03
• hmzakhalid

Poem

🐰 I hopped through YAML lines today,
Added stops when tests go astray.
With GH_TOKEN in a tiny dance,
Failed jobs end at first mischance.
CI sleeps sooner — that's my play. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding workflow cancellation on lint/compile failures to reduce CI spend.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/fail-ci

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

688-745: ⚠️ Potential issue | 🟠 Major

Add the cancellation step to build_circuits.

The build_circuits job is missing the "Cancel workflow on failure" step that exists in rust_tests and test_contracts, removing a stated fast-feedback cancellation point.

Suggested addition in build_circuits

       - name: Test Noir circuits
         run: ./scripts/test-circuits.sh

+      - name: Cancel workflow on failure
+        if: failure()
+        run: gh run cancel ${{ github.run_id }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
       - name: pnpm-setup
         uses: pnpm/action-setup@v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 688 - 745, The build_circuits job is
missing the "Cancel workflow on failure" step; add the same cancellation step
used in rust_tests and test_contracts into the build_circuits job's steps
(immediately after checkout) so the workflow cancels fast on failures. Locate
the build_circuits job and insert the step with the exact step name "Cancel
workflow on failure" and the same action and conditional used in the other jobs
to ensure consistent behavior. Ensure the step order matches other jobs (right
after the actions/checkout step) so cancellation is available before
long-running tasks like Install Nargo and Build circuits.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 27-31: The workflow-wide permissions block currently grants
actions: write which should be scoped to only the jobs that need to cancel
workflows and must not remove packages: write from Docker-pushing jobs; update
permissions so the top-level permissions keep contents: read (or replicate
contents: read into each job), remove actions: write from the global block, add
job-level permissions with actions: write for rust_tests and test_contracts
(these are the only jobs that cancel runs), add job-level permissions with
packages: write for build_e3_support_risc0 and build_ciphernode_image (they push
to ghcr.io), and ensure build_circuits does not receive actions: write because
it does not cancel workflows.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 688-745: The build_circuits job is missing the "Cancel workflow on
failure" step; add the same cancellation step used in rust_tests and
test_contracts into the build_circuits job's steps (immediately after checkout)
so the workflow cancels fast on failures. Locate the build_circuits job and
insert the step with the exact step name "Cancel workflow on failure" and the
same action and conditional used in the other jobs to ensure consistent
behavior. Ensure the step order matches other jobs (right after the
actions/checkout step) so cancellation is available before long-running tasks
like Install Nargo and Build circuits.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 125a9c8c-c3b1-4771-aa83-513e121dcc79

📥 Commits

Reviewing files that changed from the base of the PR and between 662cb0a and c77db66.

📒 Files selected for processing (1)

• .github/workflows/ci.yml