Add Github CI

[JoE11-y]

Summary by CodeRabbit

• Chores
  • Added CI workflows for EVM and Stellar contracts, removed an older EVM workflow; CI now installs toolchains, checks formatting, builds, and runs tests.
• New Features
  • Added a CLI script to build circuit artifacts with an optional proof generation flag.
• Style
  • Widespread formatting and whitespace consistency changes across contracts and tests.
• Tests
  • Added small circuit test config and updated test setup artifacts.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds root-level CI workflows for EVM and Stellar contracts, removes a legacy EVM workflow under contracts/evm, introduces a reusable circuit-build script (scripts/build_circuits.sh), and applies widespread non-functional formatting/reflow changes across Solidity and Rust contract sources and tests.

Changes

Cohort / File(s)	Summary
Workflows — New & Removed /.github/workflows/evm-contracts.yml, /.github/workflows/stellar-contracts.yml, contracts/evm/.github/workflows/test.yml	Added root-level EVM and Stellar CI workflows (Foundry/Node/pnpm, Cargo/WASM, Stellar CLI, circuit build, tests); removed legacy contracts/evm workflow.
Circuit build script & artifacts scripts/build_circuits.sh, contracts/stellar/contracts/verifier/tests/simple_circuit/Prover.toml, .gitignore	Added scripts/build_circuits.sh (compile vs prove modes, on-demand nargo/bb install, artifact normalization); added minimal Prover.toml; removed .gitignore entry for Prover.toml.
EVM Contracts contracts/evm/src/Verifier.sol, contracts/evm/src/AdManager.sol, contracts/evm/package.json, contracts/evm/test/*, contracts/evm/.github/workflows/* (removed)	Large whitespace/formatting and reflow in Verifier.sol; minor formatting tweaks in AdManager.sol and tests; added tsx devDependency; legacy contracts/evm workflow removed.
Stellar — ad-manager contracts/stellar/contracts/ad-manager/src/... (errors.rs, lib.rs, storage.rs, test.rs, token.rs, validation.rs)	Call-site and signature formatting changes (multi-line args, spacing) and import ordering edits; no behavioral changes.
Stellar — order-portal contracts/stellar/contracts/order-portal/src/... (errors.rs, lib.rs, storage.rs, test.rs, token.rs, validation.rs)	Reflowed calls and signatures to multi-line forms; logic and APIs unchanged.
Stellar — merkle-manager contracts/stellar/contracts/merkle-manager/src/mmr.rs	Minor reflow of node-hash retrieval expression; behavior unchanged.
Stellar — proofbridge-core contracts/stellar/lib/proofbridge-core/src/... (eip712.rs, test.rs, token.rs)	Reformatted byte-array constant literals and call-sites in token helpers/tests; no functional changes.
Tests & Integration contracts/stellar/tests/integration_test.rs, various */src/test.rs files	Test call-site formatting and import ordering edits only.
Removed in-tree script contracts/stellar/contracts/verifier/tests/build_circuits.sh	Deleted prior in-tree circuit build script (replaced by root scripts/build_circuits.sh).

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions (Workflow)
  participant Runner as Runner (ubuntu-latest)
  participant Checkout as Checkout (repo + submodules)
  participant Tooling as Tooling (Foundry / Rust / Node / pnpm / Stellar CLI / nargo / bb)
  participant BuildTest as Build & Test (forge / cargo / stellar contract / scripts/build_circuits.sh)

  GH->>Runner: trigger (push/pr to relevant paths or workflow_dispatch)
  Runner->>Checkout: checkout repository + recursive submodules
  Runner->>Tooling: install toolchains & configure pnpm/Node
  Runner->>Tooling: run scripts/build_circuits.sh (when invoked)
  Tooling->>BuildTest: run format checks (forge fmt / cargo fmt)
  Tooling->>BuildTest: build artifacts (forge build / stellar contract build / nargo/bb)
  Tooling->>BuildTest: run tests (forge test / cargo test / integration_test)
  BuildTest-->>GH: report results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: impl proof circuits #1 — Related to proof-circuit tooling and circuit build scripts; overlaps with added/removed Prover.toml and circuit build automation.

Suggested reviewers

• Ugo-X

Poem

🐰 I hopped through lines both neat and long,
Reformatted code and hummed a song.
New workflows spin, circuits compile,
Tests will run and logs will smile.
🥕📦 — a rabbit claps, tail twitching with glee

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add Github CI' is vague and overly generic. It does not clearly convey which CI workflows or what specific functionality is being added across multiple projects and repositories.	Use a more specific title that describes the main changes, such as 'Add GitHub Actions workflows for EVM and Stellar contract testing' or 'Consolidate CI workflows to top-level .github directory'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stellar-integrations

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

contracts/evm/src/Verifier.sol (1)

233-240: ⚠️ Potential issue | 🔴 Critical

exp computes the wrong power for most exponents

Line 236-239 currently squares base in a doubling loop and returns it, which only matches base^exponent for special exponents (e.g., powers of two). This breaks field arithmetic correctness.

Proposed fix

 function exp(Fr base, Fr exponent) pure returns (Fr) {
-    if (Fr.unwrap(exponent) == 0) return Fr.wrap(1);
-
-    for (uint256 i = 1; i < Fr.unwrap(exponent); i += i) {
-        base = base * base;
-    }
-    return base;
+    uint256 e = Fr.unwrap(exponent);
+    Fr result = Fr.wrap(1);
+    Fr b = base;
+    while (e > 0) {
+        if ((e & 1) == 1) {
+            result = result * b;
+        }
+        b = b * b;
+        e >>= 1;
+    }
+    return result;
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/evm/src/Verifier.sol` around lines 233 - 240, The exp function
currently replaces base with base*base in a doubling loop and returns base,
which computes only powers of two; fix it to perform proper exponentiation by
squaring: unwrap the exponent into a local uint256 (e.g., uint256 e =
Fr.unwrap(exponent)), initialize an accumulator result = Fr.wrap(1), then while
e > 0 if e & 1 == 1 multiply result by base, then square base (base = base *
base) and shift e >>= 1; finally return result; update references to
Fr.unwrap/Fr.wrap and the function exp signature accordingly.

🧹 Nitpick comments (1)

.github/workflows/evm-contracts.yml (1)

26-31: Pin external GitHub Actions to immutable commit SHAs.

Actions use mutable tags (@v1, @v4) instead of commit SHAs, which weakens workflow supply-chain integrity. Replace with SHA-pinned uses: entries for all four actions on lines 26, 31, 37, and 40.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/evm-contracts.yml around lines 26 - 31, The workflow uses
mutable action tags (e.g., actions/checkout@v4 and
foundry-rs/foundry-toolchain@v1) which should be replaced with immutable commit
SHAs; update each `uses:` entry for the four actions mentioned (the ones
currently using `@v4/`@v1 tags) to reference their corresponding full commit SHA
instead of the tag, ensuring you fetch the exact commit SHAs from the upstream
repos and replace the `uses:` values consistently so the workflow is pinned to
immutable versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/evm-contracts.yml:
- Around line 5-11: The workflow path filters only include "contracts/evm/**"
and the workflow file itself; update both the "paths" and "pull_request.paths"
arrays in evm-contracts.yml to also match repo-root dependency inputs used when
installing deps (e.g. package.json, package-lock.json, yarn.lock,
pnpm-lock.yaml, pnpm-workspace.yaml, and any monorepo/tooling manifests like
turbo.json or workspace config) so changes to those files will trigger the job;
modify the same filters referenced in the diff and the dependency-install
section (the block around the install step currently at lines 45-47) so both
push and PR triggers include those root files.

In @.github/workflows/stellar-contracts.yml:
- Around line 55-60: The workflow is downloading and extracting the Stellar CLI
without any integrity checks; update the run step that fetches
/tmp/stellar-cli.tar.gz to compute and record a SHA256 hash immediately after
download (e.g., compute sha256sum of /tmp/stellar-cli.tar.gz and write it to the
job log and an artifact) and make the job optionally verify against a pinned
value supplied via an input or env var (e.g., STELLAR_CLI_SHA256) so CI fails if
a known-good hash is provided and doesn't match; if no pinned checksum is
available, at minimum persist the computed hash for auditing and add a TODO note
to switch to official checksums/GPG signatures once Stellar publishes them.

In `@contracts/evm/src/Verifier.sol`:
- Around line 776-778: The staticcall to the precompile (address(0x08)) decodes
result unconditionally which can revert if the call failed or returned empty
data; change the logic in the function around the (bool success, bytes memory
result) = address(0x08).staticcall(input) so that you first check success (and
optionally result.length > 0) and only call abi.decode(result, (bool)) when
success is true, returning false (or the appropriate fallback) otherwise; update
any return to use the safely decoded value (e.g., decodedResult) only after the
success check.

---

Outside diff comments:
In `@contracts/evm/src/Verifier.sol`:
- Around line 233-240: The exp function currently replaces base with base*base
in a doubling loop and returns base, which computes only powers of two; fix it
to perform proper exponentiation by squaring: unwrap the exponent into a local
uint256 (e.g., uint256 e = Fr.unwrap(exponent)), initialize an accumulator
result = Fr.wrap(1), then while e > 0 if e & 1 == 1 multiply result by base,
then square base (base = base * base) and shift e >>= 1; finally return result;
update references to Fr.unwrap/Fr.wrap and the function exp signature
accordingly.

---

Nitpick comments:
In @.github/workflows/evm-contracts.yml:
- Around line 26-31: The workflow uses mutable action tags (e.g.,
actions/checkout@v4 and foundry-rs/foundry-toolchain@v1) which should be
replaced with immutable commit SHAs; update each `uses:` entry for the four
actions mentioned (the ones currently using `@v4/`@v1 tags) to reference their
corresponding full commit SHA instead of the tag, ensuring you fetch the exact
commit SHAs from the upstream repos and replace the `uses:` values consistently
so the workflow is pinned to immutable versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b88939cb-e76f-4823-8137-32fe3cbee75b

📥 Commits

Reviewing files that changed from the base of the PR and between c047981 and db32886.

📒 Files selected for processing (26)

• .github/workflows/evm-contracts.yml
• .github/workflows/stellar-contracts.yml
• contracts/evm/.github/workflows/test.yml
• contracts/evm/src/Verifier.sol
• contracts/stellar/contracts/ad-manager/src/errors.rs
• contracts/stellar/contracts/ad-manager/src/lib.rs
• contracts/stellar/contracts/ad-manager/src/storage.rs
• contracts/stellar/contracts/ad-manager/src/test.rs
• contracts/stellar/contracts/ad-manager/src/token.rs
• contracts/stellar/contracts/ad-manager/src/validation.rs
• contracts/stellar/contracts/merkle-manager/src/mmr.rs
• contracts/stellar/contracts/order-portal/src/errors.rs
• contracts/stellar/contracts/order-portal/src/lib.rs
• contracts/stellar/contracts/order-portal/src/storage.rs
• contracts/stellar/contracts/order-portal/src/test.rs
• contracts/stellar/contracts/order-portal/src/token.rs
• contracts/stellar/contracts/order-portal/src/validation.rs
• contracts/stellar/lib/proofbridge-core/src/eip712.rs
• contracts/stellar/lib/proofbridge-core/src/test.rs
• contracts/stellar/lib/proofbridge-core/src/token.rs
• contracts/stellar/test_snapshots/test_ad_manager_lock_for_order.1.json
• contracts/stellar/test_snapshots/test_ad_manager_unlock_with_bridger_proof.1.json
• contracts/stellar/test_snapshots/test_full_cross_chain_flow.1.json
• contracts/stellar/test_snapshots/test_nullifier_prevents_double_unlock.1.json
• contracts/stellar/test_snapshots/test_order_portal_create_and_unlock.1.json
• contracts/stellar/tests/integration_test.rs

💤 Files with no reviewable changes (1)

• contracts/evm/.github/workflows/test.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/stellar-contracts.yml (1)

6-12: ⚠️ Potential issue | 🟠 Major

Workflow trigger paths miss required build inputs.

Line 7 and Line 11 only watch contracts/stellar/**, but this workflow also depends on scripts/build_circuits.sh and proof_circuits/deposits. Changes there won’t trigger CI, so breakages can slip through.

💡 Suggested patch

   push:
     branches: [main]
     paths:
       - "contracts/stellar/**"
+      - "proof_circuits/**"
+      - "scripts/build_circuits.sh"
       - ".github/workflows/stellar-contracts.yml"
   pull_request:
     paths:
       - "contracts/stellar/**"
+      - "proof_circuits/**"
+      - "scripts/build_circuits.sh"
       - ".github/workflows/stellar-contracts.yml"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/stellar-contracts.yml around lines 6 - 12, The workflow
trigger lists under the push and pull_request "paths" blocks only include
"contracts/stellar/**" and miss other inputs; update both paths arrays (the
push.paths and pull_request.paths entries) to also include
"scripts/build_circuits.sh" and "proof_circuits/deposits" so changes to the
build script and proof circuit sources will trigger the CI run alongside changes
to "contracts/stellar/**".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/stellar-contracts.yml:
- Around line 58-61: The shell commands mkdir -p, tar -xzf, chmod, and echo in
the install block use unquoted variables which can trigger
word-splitting/globbing (SC2086); update those commands to quote
environment-variable expansions such as "$HOME/.local/bin", the tar archive path
"/tmp/stellar-cli.tar.gz" (and the -C target "$HOME/.local/bin"), and the
GITHUB_PATH destination "$GITHUB_PATH" so each command (mkdir -p
"$HOME/.local/bin", tar -xzf "/tmp/stellar-cli.tar.gz" -C "$HOME/.local/bin"
stellar, chmod +x "$HOME/.local/bin"/stellar, echo "$HOME/.local/bin" >>
"$GITHUB_PATH") safely handles paths with spaces or special characters.

In `@scripts/build_circuits.sh`:
- Around line 123-126: Add an explicit check that the provided path exists and
is a directory before attempting to cd; e.g., before setting TARGET_PATH use a
test like if [ ! -e "$1" ] || [ ! -d "$1" ] then print a clear error (to stderr)
and call usage (or exit), then proceed with TARGET_PATH="$(cd "$1" && pwd)";
reference the existing usage function and the TARGET_PATH/PROVE variables when
making the change.

---

Duplicate comments:
In @.github/workflows/stellar-contracts.yml:
- Around line 6-12: The workflow trigger lists under the push and pull_request
"paths" blocks only include "contracts/stellar/**" and miss other inputs; update
both paths arrays (the push.paths and pull_request.paths entries) to also
include "scripts/build_circuits.sh" and "proof_circuits/deposits" so changes to
the build script and proof circuit sources will trigger the CI run alongside
changes to "contracts/stellar/**".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7ea4f209-f832-4d84-8b75-a761c2afd006

📥 Commits

Reviewing files that changed from the base of the PR and between e0c6085 and a399211.

📒 Files selected for processing (4)

• .github/workflows/evm-contracts.yml
• .github/workflows/stellar-contracts.yml
• contracts/stellar/contracts/verifier/tests/build_circuits.sh
• scripts/build_circuits.sh

💤 Files with no reviewable changes (1)

• contracts/stellar/contracts/verifier/tests/build_circuits.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/evm-contracts.yml