From 9720f8fa6fc42f317bd45338c5e84e1c7453a50b Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Tue, 30 Jun 2026 16:33:21 -0400 Subject: [PATCH 1/6] ci: Fix `bench-thresholds-reset` --- .github/workflows/bench-thresholds-reset.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bench-thresholds-reset.yml b/.github/workflows/bench-thresholds-reset.yml index 1f8be388..4f17e558 100644 --- a/.github/workflows/bench-thresholds-reset.yml +++ b/.github/workflows/bench-thresholds-reset.yml @@ -70,8 +70,13 @@ jobs: case " $valid " in *" $w "*) ;; *) echo "skip unknown workload: $w"; continue ;; esac tag="baseline-reset-$w" echo "Anchoring $tag -> $sha" - gh api -X PATCH "repos/$REPO/git/refs/tags/$tag" -f sha="$sha" -F force=true \ - || gh api -X POST "repos/$REPO/git/refs" -f ref="refs/tags/$tag" -f sha="$sha" + # Update the tag if it exists, else create it. (Checking first avoids + # the spurious 422 a PATCH-then-POST logs on first creation.) + if gh api --silent "repos/$REPO/git/refs/tags/$tag" 2>/dev/null; then + gh api --silent -X PATCH "repos/$REPO/git/refs/tags/$tag" -f sha="$sha" -F force=true + else + gh api --silent -X POST "repos/$REPO/git/refs" -f ref="refs/tags/$tag" -f sha="$sha" + fi done_list="$done_list $w" done [ -z "$done_list" ] && { echo "Nothing to reset."; exit 0; } From eabb513867416e6794b87cf5cbe17be24d9ef59d Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Tue, 30 Jun 2026 21:14:40 +0000 Subject: [PATCH 2/6] ci: Download Zisk proving key --- .github/workflows/riscv-bench.yml | 32 +++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/riscv-bench.yml b/.github/workflows/riscv-bench.yml index 59a0ea13..250ddefe 100644 --- a/.github/workflows/riscv-bench.yml +++ b/.github/workflows/riscv-bench.yml @@ -108,14 +108,38 @@ jobs: name: minimal-ixe - name: Install Zisk toolchain (ziskup, latest) # `--cpu` picks the CPU build (no GPU on the runner) and `--nokey` skips - # the proving/verify keys — together they avoid ziskup's interactive - # /dev/tty prompts, and execute needs no keys. `--prefix $HOME/.zisk` - # pins the install where cargo-zisk's ZiskPaths fallback looks (the - # runner sets XDG_CONFIG_HOME, which would otherwise relocate it). + # ziskup's key install — both avoid its interactive /dev/tty prompts. + # We keep `--nokey` because the upstream `zisk-setup` bucket only carries + # the upstream circuit's key; our blake3-precompile fork has a different + # circuit (extra Blake3f AIR), so we restore the fork-matching key from + # our own S3 in the next step. `--prefix $HOME/.zisk` pins the install + # where cargo-zisk's ZiskPaths fallback looks (the runner sets + # XDG_CONFIG_HOME, which would otherwise relocate it). run: | curl -L https://raw.githubusercontent.com/0xPolygonHermez/zisk/main/ziskup/install.sh \ | bash -s -- --cpu --nokey -y --prefix "$HOME/.zisk" echo "$HOME/.zisk/bin" >> "$GITHUB_PATH" + # Execute still needs a proving key present: zisk-host calls + # `client.setup()` (which the SDK runs before the execute branch), and that + # loads the circuit's const-tree files. We host the fork-matching key in a + # public S3 bucket WITHOUT the const-trees — exactly like Zisk's released + # `zisk-provingkey-*.tar.gz` on `storage.googleapis.com/zisk-setup` — and + # regenerate them here with `cargo-zisk check-setup -a`, which is how + # `ziskup` itself populates them. That keeps the artifact ~3 GB (gzip) + # instead of ~48 GB. The object name carries the fork rev so a circuit + # change can't silently reuse a stale key. Public bucket → plain curl, no + # AWS creds. + - name: Restore Zisk proving key (fork circuit) from S3 + run: | + mkdir -p "$HOME/.zisk" + curl -fSL --retry 3 \ + https://argument-zisk-setup.s3.amazonaws.com/zisk-provingkey-blake3-8f9e24d5-cpu.tar.gz \ + -o /tmp/zisk-provingkey.tar.gz + tar -C "$HOME/.zisk" -xzf /tmp/zisk-provingkey.tar.gz + rm -f /tmp/zisk-provingkey.tar.gz + # Regenerate the const-tree files omitted from the artifact (CPU build, + # so no --gpu). This is the "may take a while" step ziskup prints. + cargo-zisk check-setup --proving-key "$HOME/.zisk/provingKey" -a - name: Zisk — execute minimal.ixe (assert failures == 0) run: | cd zisk From e94f25a850c4f46b2be8b82395939a667690ac39 Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Tue, 30 Jun 2026 21:15:37 +0000 Subject: [PATCH 3/6] Temporary test --- .github/workflows/riscv-bench.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/riscv-bench.yml b/.github/workflows/riscv-bench.yml index 250ddefe..aa53c146 100644 --- a/.github/workflows/riscv-bench.yml +++ b/.github/workflows/riscv-bench.yml @@ -6,7 +6,7 @@ name: RISC-V bench # kernel typecheck of one constant in the SP1 and Zisk VMs — in parallel jobs. on: push: - branches: main + branches: [main, ci-fixes] workflow_dispatch: permissions: From a663147e28645ed4b61b34f188cb60553527a798 Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Tue, 30 Jun 2026 21:32:47 +0000 Subject: [PATCH 4/6] Fixup --- .github/workflows/riscv-bench.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/riscv-bench.yml b/.github/workflows/riscv-bench.yml index aa53c146..49ba14c1 100644 --- a/.github/workflows/riscv-bench.yml +++ b/.github/workflows/riscv-bench.yml @@ -106,18 +106,24 @@ jobs: - uses: actions/download-artifact@v4 with: name: minimal-ixe - - name: Install Zisk toolchain (ziskup, latest) + - name: Install Zisk toolchain (ziskup, pinned v0.18.0) + # `--version 0.18.0` pins the toolchain to match our deps. Our host links + # the argumentcomputer/zisk `blake3-precompile` fork, which is based on + # v0.18.0 (its cargo-zisk has `check-setup`, used below to regenerate the + # key's const-trees). Without the pin, ziskup installs `releases/latest`, + # which resolves to upstream `v1.0.0-alpha` — a different circuit whose + # cargo-zisk dropped the `check-setup` subcommand, breaking the key step. # `--cpu` picks the CPU build (no GPU on the runner) and `--nokey` skips - # ziskup's key install — both avoid its interactive /dev/tty prompts. - # We keep `--nokey` because the upstream `zisk-setup` bucket only carries - # the upstream circuit's key; our blake3-precompile fork has a different - # circuit (extra Blake3f AIR), so we restore the fork-matching key from - # our own S3 in the next step. `--prefix $HOME/.zisk` pins the install - # where cargo-zisk's ZiskPaths fallback looks (the runner sets - # XDG_CONFIG_HOME, which would otherwise relocate it). + # ziskup's key install — both avoid its interactive /dev/tty prompts. We + # keep `--nokey` because the upstream `zisk-setup` bucket only carries the + # upstream circuit's key; our fork has a different circuit (extra Blake3f + # AIR), so we restore the fork-matching key from our own S3 in the next + # step. `--prefix $HOME/.zisk` pins the install where cargo-zisk's + # ZiskPaths fallback looks (the runner sets XDG_CONFIG_HOME, which would + # otherwise relocate it). run: | curl -L https://raw.githubusercontent.com/0xPolygonHermez/zisk/main/ziskup/install.sh \ - | bash -s -- --cpu --nokey -y --prefix "$HOME/.zisk" + | bash -s -- --cpu --nokey -y --version 0.18.0 --prefix "$HOME/.zisk" echo "$HOME/.zisk/bin" >> "$GITHUB_PATH" # Execute still needs a proving key present: zisk-host calls # `client.setup()` (which the SDK runs before the execute branch), and that From 4c1315c6eccab125d275728e83635127e88a74ce Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Wed, 1 Jul 2026 18:11:59 +0000 Subject: [PATCH 5/6] Fix Zisk ulimit --- .github/workflows/riscv-bench.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/riscv-bench.yml b/.github/workflows/riscv-bench.yml index 49ba14c1..6a459f94 100644 --- a/.github/workflows/riscv-bench.yml +++ b/.github/workflows/riscv-bench.yml @@ -149,6 +149,14 @@ jobs: - name: Zisk — execute minimal.ixe (assert failures == 0) run: | cd zisk - ulimit -l unlimited 2>/dev/null || true + # ZisK's ASM microservices mmap the ROM with MAP_LOCKED, which needs + # unlimited locked memory — the Zisk book's "Critical Memory + # Configuration" prescribes DefaultLimitMEMLOCK=infinity. The runner + # caps the memlock hard limit (so a bare `ulimit -l unlimited` can't + # raise it) and we can't reboot it, so raise the limit in-session as + # root via prlimit; the cargo child (and the ASM services it spawns) + # inherit it. Without this the services die with + # `mmap(rom) errno=11` / "shmem creation ... failed". + sudo prlimit --pid $$ --memlock=unlimited:unlimited cargo run --bin zisk-host -- --execute --ixe ../minimal.ixe --constant myReflEq --skip-deps | tee only.txt grep -qE "failures: 0\b" only.txt From 86292773fceb92f974af22931d08afd596a160e7 Mon Sep 17 00:00:00 2001 From: samuelburnham <45365069+samuelburnham@users.noreply.github.com> Date: Wed, 1 Jul 2026 18:38:07 +0000 Subject: [PATCH 6/6] Prep for review --- .github/workflows/riscv-bench.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/riscv-bench.yml b/.github/workflows/riscv-bench.yml index 6a459f94..d9ec22b7 100644 --- a/.github/workflows/riscv-bench.yml +++ b/.github/workflows/riscv-bench.yml @@ -6,7 +6,7 @@ name: RISC-V bench # kernel typecheck of one constant in the SP1 and Zisk VMs — in parallel jobs. on: push: - branches: [main, ci-fixes] + branches: main workflow_dispatch: permissions: