@@ -106,19 +106,57 @@ jobs:
106106 - uses : actions/download-artifact@v4
107107 with :
108108 name : minimal-ixe
109- - name : Install Zisk toolchain (ziskup, latest)
109+ - name : Install Zisk toolchain (ziskup, pinned v0.18.0)
110+ # `--version 0.18.0` pins the toolchain to match our deps. Our host links
111+ # the argumentcomputer/zisk `blake3-precompile` fork, which is based on
112+ # v0.18.0 (its cargo-zisk has `check-setup`, used below to regenerate the
113+ # key's const-trees). Without the pin, ziskup installs `releases/latest`,
114+ # which resolves to upstream `v1.0.0-alpha` — a different circuit whose
115+ # cargo-zisk dropped the `check-setup` subcommand, breaking the key step.
110116 # `--cpu` picks the CPU build (no GPU on the runner) and `--nokey` skips
111- # the proving/verify keys — together they avoid ziskup's interactive
112- # /dev/tty prompts, and execute needs no keys. `--prefix $HOME/.zisk`
113- # pins the install where cargo-zisk's ZiskPaths fallback looks (the
114- # runner sets XDG_CONFIG_HOME, which would otherwise relocate it).
117+ # ziskup's key install — both avoid its interactive /dev/tty prompts. We
118+ # keep `--nokey` because the upstream `zisk-setup` bucket only carries the
119+ # upstream circuit's key; our fork has a different circuit (extra Blake3f
120+ # AIR), so we restore the fork-matching key from our own S3 in the next
121+ # step. `--prefix $HOME/.zisk` pins the install where cargo-zisk's
122+ # ZiskPaths fallback looks (the runner sets XDG_CONFIG_HOME, which would
123+ # otherwise relocate it).
115124 run : |
116125 curl -L https://raw.githubusercontent.com/0xPolygonHermez/zisk/main/ziskup/install.sh \
117- | bash -s -- --cpu --nokey -y --prefix "$HOME/.zisk"
126+ | bash -s -- --cpu --nokey -y --version 0.18.0 -- prefix "$HOME/.zisk"
118127 echo "$HOME/.zisk/bin" >> "$GITHUB_PATH"
128+ # Execute still needs a proving key present: zisk-host calls
129+ # `client.setup()` (which the SDK runs before the execute branch), and that
130+ # loads the circuit's const-tree files. We host the fork-matching key in a
131+ # public S3 bucket WITHOUT the const-trees — exactly like Zisk's released
132+ # `zisk-provingkey-*.tar.gz` on `storage.googleapis.com/zisk-setup` — and
133+ # regenerate them here with `cargo-zisk check-setup -a`, which is how
134+ # `ziskup` itself populates them. That keeps the artifact ~3 GB (gzip)
135+ # instead of ~48 GB. The object name carries the fork rev so a circuit
136+ # change can't silently reuse a stale key. Public bucket → plain curl, no
137+ # AWS creds.
138+ - name : Restore Zisk proving key (fork circuit) from S3
139+ run : |
140+ mkdir -p "$HOME/.zisk"
141+ curl -fSL --retry 3 \
142+ https://argument-zisk-setup.s3.amazonaws.com/zisk-provingkey-blake3-8f9e24d5-cpu.tar.gz \
143+ -o /tmp/zisk-provingkey.tar.gz
144+ tar -C "$HOME/.zisk" -xzf /tmp/zisk-provingkey.tar.gz
145+ rm -f /tmp/zisk-provingkey.tar.gz
146+ # Regenerate the const-tree files omitted from the artifact (CPU build,
147+ # so no --gpu). This is the "may take a while" step ziskup prints.
148+ cargo-zisk check-setup --proving-key "$HOME/.zisk/provingKey" -a
119149 - name : Zisk — execute minimal.ixe (assert failures == 0)
120150 run : |
121151 cd zisk
122- ulimit -l unlimited 2>/dev/null || true
152+ # ZisK's ASM microservices mmap the ROM with MAP_LOCKED, which needs
153+ # unlimited locked memory — the Zisk book's "Critical Memory
154+ # Configuration" prescribes DefaultLimitMEMLOCK=infinity. The runner
155+ # caps the memlock hard limit (so a bare `ulimit -l unlimited` can't
156+ # raise it) and we can't reboot it, so raise the limit in-session as
157+ # root via prlimit; the cargo child (and the ASM services it spawns)
158+ # inherit it. Without this the services die with
159+ # `mmap(rom) errno=11` / "shmem creation ... failed".
160+ sudo prlimit --pid $$ --memlock=unlimited:unlimited
123161 cargo run --bin zisk-host -- --execute --ixe ../minimal.ixe --constant myReflEq --skip-deps | tee only.txt
124162 grep -qE "failures: 0\b" only.txt
0 commit comments