Skip to content

refactor: embed SP1 guest ELFs at compile time via sp1_build + include_elf!() #743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
piohei merged 36 commits into from
Jun 19, 2026
Merged

refactor: embed SP1 guest ELFs at compile time via sp1_build + include_elf!() #743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
02abc10
refactor: build SP1 ELFs via sp1_build + embed via include_elf!() (OP…
Jun 16, 2026
cece7f6
docs: fix ELF management comparison — reference op-succinct not Base TEE
Jun 16, 2026
743aa8c
fix: formatting and SP1 Docker build path for world-chain-proof-core
Jun 16, 2026
5861a3e
fix: add embedded-elfs feature to gate include_elf!() behind Docker b…
Jun 16, 2026
a9326d9
fix: fmt and clippy embedded-elfs feature activation
Jun 16, 2026
82dc566
refactor: move embedded ELF crate to separate world-chain-proof-succi…
Jun 16, 2026
c64c679
fix: run cargo fmt
Jun 17, 2026
266169c
fix: create stub ELFs in clippy mode to resolve include_elf!() errors
Jun 17, 2026
0a0582c
fix: remove unused `fs` import from sp1-worker main.rs
Jun 17, 2026
c335789
fix: use #[cfg(clippy)] instead of stub files; address review comments
Jun 17, 2026
a68241a
fix(devnet/elfs): address Cursor Bugbot comments #3427817138 and #342…
Jun 17, 2026
140b694
fix: split cfg(clippy)/cfg(not(clippy)) use imports to suppress unuse…
Jun 17, 2026
65d496f
fix: add nextest retries=2 to default profile for flaky integration t…
Jun 17, 2026
2845e8a
chore: stage updated release-proof workflow (move to .github/workflow…
Jun 18, 2026
c41e567
update release-proof workflow
Jun 18, 2026
9f8f0d5
fix: make PROVER_PACKAGE and PROVER_BIN required build args
Jun 18, 2026
b102931
revert: remove nextest retries change
Jun 18, 2026
c0edb61
feat: commit vkeys.json with CI verification recipe
Jun 18, 2026
f6ec09d
fix: correct package name in vkeys Justfile recipes
Jun 18, 2026
35ec075
fix: update prover-sp1 to use EnvSuccinctProver::new API (no ELF args)
Jun 18, 2026
1336768
fix: vkeys command uses embedded ELFs via env_prover::range_elf()
Jun 18, 2026
bb93a56
fix: remove proofs/bin leftover (deleted on main in prover split)
Jun 18, 2026
5667167
fix: add world-chain-proof-succinct-elfs dep to prover-sp1 for ELF em…
Jun 18, 2026
c98899d
fix: use world-chain-proof-succinct-elfs::range_elf() directly in pro…
Jun 18, 2026
4047949
Update vkeys.json
Jun 18, 2026
b8b9953
Setup vkeys CI.
Jun 18, 2026
022ac1e
fix: address cursor[bot] review comments (non-workflow files)
Jun 18, 2026
c9d05af
chore: stage updated workflow files (move to .github/workflows/)
Jun 18, 2026
eb43d98
fix: resolve AsRef ambiguity in sha256 digest calls
Jun 18, 2026
158388e
CI updates.
Jun 18, 2026
c92d6ed
update vkeys
Jun 18, 2026
e47585d
fix: use POSIX-compatible diff in verify-proof-vkeys
Jun 18, 2026
ebb6c58
fix: normalize both sides with jq in verify-proof-vkeys
Jun 18, 2026
b29c8cf
fix: strip debug info and remap paths for reproducible ELF builds
Jun 18, 2026
5c3fa13
refactor: always use Docker for SP1 ELF builds (ecosystem standard)
Jun 18, 2026
f545fa2
update vkeys
Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 6 additions & 40 deletions .github/workflows/docker-proof.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,35 +34,9 @@ permissions:
id-token: write

jobs:
build-elfs:
name: build ELFs
runs-on: arc-public-8xlarge-amd64-runner
steps:
- name: Check Out Repo
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
- uses: taiki-e/install-action@just
- name: Install SP1 toolchain
run: |
curl -L https://sp1.succinct.xyz | bash
~/.sp1/bin/sp1up --version v6.1.0
echo "$HOME/.sp1/bin" >> $GITHUB_PATH
- name: Build ELFs
run: just build-proof-elfs
- name: Upload ELFs
uses: actions/upload-artifact@v4
with:
name: proof-elfs
path: |
proofs/succinct/elf/world-chain-range-ethereum
proofs/succinct/elf/world-chain-aggregation
if-no-files-found: error

build-sp1-prover-image:
name: build world-chain-prover-sp1 image
environment: dev
needs: [build-elfs]
strategy:
fail-fast: false
matrix:
Expand All @@ -77,11 +51,6 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
- name: Download ELFs
uses: actions/download-artifact@v4
with:
name: proof-elfs
path: proofs/succinct/elf
- name: Build and push digest
uses: ./.github/actions/docker-build-push-digest
with:
Expand All @@ -92,7 +61,9 @@ jobs:
sccache_bucket: ${{ env.SCCACHE_BUCKET }}
dockerfile: Dockerfile.prover
build_args: |
PROVER_BACKEND=sp1
PROVER_PACKAGE=world-chain-prover-sp1
PROVER_BIN=world-chain-prover-sp1
FEATURES=
digest_artifact_prefix: digests-prover-sp1

build-nitro-prover-image:
Expand Down Expand Up @@ -122,7 +93,9 @@ jobs:
sccache_bucket: ${{ env.SCCACHE_BUCKET }}
dockerfile: Dockerfile.prover
build_args: |
PROVER_BACKEND=nitro
PROVER_PACKAGE=world-chain-prover-nitro
PROVER_BIN=world-chain-prover-nitro
FEATURES=
digest_artifact_prefix: digests-prover-nitro

# Each prover's merge depends ONLY on its own build jobs. docker-build-push-digest
Expand Down Expand Up @@ -171,7 +144,6 @@ jobs:
build-service-images:
name: build ${{ matrix.service.bin }} image
environment: dev
needs: [build-elfs]
strategy:
fail-fast: false
matrix:
Expand All @@ -190,12 +162,6 @@ jobs:
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
- name: Download ELFs
if: matrix.service.bin == 'sp1-worker'
uses: actions/download-artifact@v4
with:
name: proof-elfs
path: proofs/succinct/elf
- name: Build and push digest
uses: ./.github/actions/docker-build-push-digest
with:
Expand Down
94 changes: 25 additions & 69 deletions .github/workflows/release-proof.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,12 @@
#
# A release binds together every measurement the proof system registers
# on-chain, in a single manifest.json:
# - SP1 guest ELF sha256s + range vkey commitment + aggregation vkey
# - SP1 range vkey commitment + aggregation vkey (derived from guest ELFs
# embedded at compile time via sp1_build / include_elf!())
# - Nitro enclave EIF PCR0/PCR1/PCR2
# - prover docker image digests
# plus the deployable artifacts themselves (docker images, GPG-signed binary
# tarballs, release-generated guest ELFs, and the enclave EIF).
#
# Guest ELFs are generated only for proof releases and uploaded as release
# artifacts. They are not committed to git.
# tarballs, and the enclave EIF).

name: release-proof

Expand Down Expand Up @@ -61,50 +59,28 @@ jobs:
VERSION: ${{ steps.extract_version.outputs.VERSION }}
IS_RELEASE: ${{ steps.extract_version.outputs.IS_RELEASE }}

# Build the SP1 guest ELFs for this release. The generated files are passed to
# downstream jobs as artifacts and staged into the GitHub release.
build-elfs:
name: build ELFs
# Compute the on-chain verification keys. The SP1 guest ELFs are compiled
# inline via sp1_build (include_elf!()) — no separate build step required.
vkeys:
name: compute vkeys
needs: approve-release
runs-on: arc-public-8xlarge-amd64-runner
steps:
- uses: actions/checkout@v6
- uses: taiki-e/install-action@just
- name: Install SP1 toolchain
run: |
curl -L https://sp1.succinct.xyz | bash
~/.sp1/bin/sp1up --version v6.1.0
echo "$HOME/.sp1/bin" >> $GITHUB_PATH
- name: Build ELFs
run: just build-proof-elfs
- name: Upload ELFs
uses: actions/upload-artifact@v4
with:
name: proof-elfs
path: |
proofs/succinct/elf/world-chain-range-ethereum
proofs/succinct/elf/world-chain-aggregation
if-no-files-found: error

# Compute the on-chain verification keys for the release-generated ELFs.
vkeys:
name: compute vkeys
needs: [build-elfs]
runs-on: arc-public-8xlarge-amd64-runner
steps:
- uses: actions/checkout@v6
- name: Download ELFs
uses: actions/download-artifact@v4
with:
name: proof-elfs
path: proofs/succinct/elf
- uses: taiki-e/install-action@just
- uses: dtolnay/rust-toolchain@stable
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- uses: Swatinem/rust-cache@v2
- name: Compute vkeys
env:
SP1_BUILD_DOCKER: "false"
run: just proof-vkeys --output vkeys.json && cat vkeys.json
- name: Upload vkeys
uses: actions/upload-artifact@v4
Expand All @@ -113,14 +89,10 @@ jobs:
path: vkeys.json
if-no-files-found: error

# Backend prover images. Each image contains one host-side prover binary. The
# service deployables (sp1-worker, proposer, challenger, defender,
Comment thread
cursor[bot] marked this conversation as resolved.
# prover-service) are built from the same Dockerfile.prover in
# build-service-images below.
build-sp1-prover-image:
name: build world-chain-prover-sp1 image
environment: dev
needs: [approve-release, build-elfs]
needs: approve-release
strategy:
fail-fast: false
matrix:
Expand All @@ -132,11 +104,6 @@ jobs:
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@v6
- name: Download ELFs
uses: actions/download-artifact@v4
with:
name: proof-elfs
path: proofs/succinct/elf
Comment thread
cursor[bot] marked this conversation as resolved.
- name: Build and push digest
uses: ./.github/actions/docker-build-push-digest
with:
Expand All @@ -147,7 +114,9 @@ jobs:
sccache_bucket: ${{ env.SCCACHE_BUCKET }}
dockerfile: Dockerfile.prover
build_args: |
PROVER_BACKEND=sp1
PROVER_PACKAGE=world-chain-prover-sp1
PROVER_BIN=world-chain-prover-sp1
FEATURES=
digest_artifact_prefix: digests-prover-sp1

merge-sp1-prover-image:
Expand Down Expand Up @@ -194,7 +163,9 @@ jobs:
sccache_bucket: ${{ env.SCCACHE_BUCKET }}
dockerfile: Dockerfile.prover
build_args: |
PROVER_BACKEND=nitro
PROVER_PACKAGE=world-chain-prover-nitro
PROVER_BIN=world-chain-prover-nitro
FEATURES=
digest_artifact_prefix: digests-prover-nitro

merge-nitro-prover-image:
Expand Down Expand Up @@ -222,7 +193,7 @@ jobs:
build-service-images:
name: build ${{ matrix.service.bin }} image
environment: dev
needs: [approve-release, build-elfs]
needs: approve-release
strategy:
fail-fast: false
matrix:
Expand All @@ -238,12 +209,6 @@ jobs:
runs-on: ${{ matrix.platform.runner }}
steps:
- uses: actions/checkout@v6
- name: Download ELFs
if: matrix.service.bin == 'sp1-worker'
uses: actions/download-artifact@v4
with:
name: proof-elfs
path: proofs/succinct/elf
- name: Build and push digest
uses: ./.github/actions/docker-build-push-digest
with:
Expand Down Expand Up @@ -283,7 +248,6 @@ jobs:
type=raw,value=${{ needs.extract-version.outputs.VERSION }}
type=sha

# GPG-signed binary tarballs, mirroring the node release conventions.
build-binaries:
name: build binaries
needs: [extract-version]
Expand All @@ -300,6 +264,11 @@ jobs:
VERSION: ${{ needs.extract-version.outputs.VERSION }}
steps:
- uses: actions/checkout@v6
- name: Install SP1 toolchain
run: |
curl -L https://sp1.succinct.xyz | bash
~/.sp1/bin/sp1up --version v6.1.0
echo "$HOME/.sp1/bin" >> $GITHUB_PATH
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
Expand All @@ -309,16 +278,16 @@ jobs:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- uses: Swatinem/rust-cache@v2
- name: Cargo Build Release
env:
SP1_BUILD_DOCKER: "false"
run: |
cargo build --release --locked -p world-chain-prover-sp1 --target ${{ matrix.target }}
cargo build --release --locked -p world-chain-prover-nitro --target ${{ matrix.target }}

- name: Move binaries
run: |
mkdir artifacts
mv "target/${{ matrix.target }}/release/world-chain-prover-sp1" ./artifacts
mv "target/${{ matrix.target }}/release/world-chain-prover-nitro" ./artifacts

- name: Configure GPG and create artifacts
env:
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
Expand All @@ -331,15 +300,13 @@ jobs:
echo "$GPG_PASSPHRASE" | gpg --passphrase-fd 0 --pinentry-mode loopback --batch -ab world-chain-prover-${{ env.VERSION }}-${{ matrix.target }}.tar.gz
mv *tar.gz* ..
shell: bash

- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: world-chain-prover-${{ env.VERSION }}-${{ matrix.target }}
path: world-chain-prover-${{ env.VERSION }}-${{ matrix.target }}.tar.gz*
if-no-files-found: error

# Nitro enclave EIF + PCR measurements. Does not require Nitro hardware.
build-eif:
name: build enclave EIF
needs: approve-release
Expand All @@ -358,13 +325,11 @@ jobs:
target/eif/pcrs.json
if-no-files-found: error

# Assemble manifest.json and the draft release. Tag pushes only.
draft-release:
name: draft release
if: needs.extract-version.outputs.IS_RELEASE == 'true'
needs:
- extract-version
- build-elfs
- vkeys
- merge-sp1-prover-image
- merge-nitro-prover-image
Expand All @@ -381,22 +346,17 @@ jobs:
- uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: artifacts

- name: Stage release assets
run: |
mkdir -p assets
cp artifacts/vkeys/vkeys.json assets/
cp artifacts/proof-elfs/world-chain-range-ethereum assets/
cp artifacts/proof-elfs/world-chain-aggregation assets/
cp artifacts/nitro-enclave/pcrs.json assets/
cp artifacts/nitro-enclave/world-chain-nitro-enclave.eif assets/
cp artifacts/world-chain-prover-*/*.tar.gz* assets/

- name: Build manifest
run: |
jq -n \
Expand All @@ -419,7 +379,6 @@ jobs:
}
}' > assets/manifest.json
cat assets/manifest.json

- name: Compare measurements with previous release
id: measurements
env:
Expand All @@ -444,7 +403,6 @@ jobs:
fi
echo "EOF"
} >> "$GITHUB_OUTPUT"

- name: Generate changelog
id: changelog
run: |
Expand All @@ -459,7 +417,6 @@ jobs:
echo ""
echo "EOF"
} >> "$GITHUB_OUTPUT"

- name: Create release draft
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -479,11 +436,10 @@ jobs:

| Artifact | Purpose |
|:---|:---|
| `manifest.json` | Binds git SHA, ELF hashes, vkeys, PCRs, and image digests for this release |
| `manifest.json` | Binds git SHA, vkeys, PCRs, and image digests for this release |
| `vkeys.json` | SP1 range vkey commitment + aggregation vkey |
| `pcrs.json` | Nitro enclave PCR0/PCR1/PCR2 |
| `world-chain-nitro-enclave.eif` | Enclave image (measurements in `pcrs.json`) |
| `world-chain-range-ethereum`, `world-chain-aggregation` | SP1 guest ELFs (reproducible via `just build-proof-elfs`) |
| `world-chain-prover-*.tar.gz` | `world-chain-prover-sp1` and `world-chain-prover-nitro` binaries, signed with PGP key `C75F BC64 E9D4 8E89 FB60 418B 8949 B352 D042 2E74` |
| SP1 Docker | `ghcr.io/${{ env.PROOF_IMAGE_NAME }}-sp1:${{ env.VERSION }}` |
| Nitro Docker | `ghcr.io/${{ env.PROOF_IMAGE_NAME }}-nitro:${{ env.VERSION }}` |
Expand Down
Loading
Loading