feat(spartan): align upgrade test, script fix

.claude/settings.json

@@ -6,7 +6,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "python3 .claude/scripts/check-ci-url.py"
+            "command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/scripts/check-ci-url.py\""
           }
         ]
       }

.github/ci3.sh

@@ -87,7 +87,7 @@ function main {
   # Handle release-pr mode separately (creates tag instead of running CI)
 
   if [ "${CI_MODE}" == "skip" ]; then
-    echo_stderr "WARNING: CI is being skipped in this PR."
+    echo "WARNING: CI is being skipped in this PR." >&2
     exit 0
   fi
   if [ "${CI_MODE}" == "release-pr" ]; then

.github/ci3_labels_to_env.sh

@@ -58,7 +58,7 @@ function main {
   elif [[ "${GITHUB_REF:-}" == refs/tags/v* ]]; then
     ci_mode="release"
   elif has_label "ci-skip"; then
-    echo_stderr "WARNING: Skipping CI due to the ci-skip label! Make sure this is intended!"
+    echo "WARNING: Skipping CI due to the ci-skipok label! Make sure this is intended!" >&2
     ci_mode="skip"
   else
     ci_mode="fast"

.github/workflows/ci3.yml

@@ -134,6 +134,12 @@ jobs:
     needs: ci
     if: github.event.pull_request.head.repo.fork != true && github.event.pull_request.draft == false && ((startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-commit.')) || contains(github.event.pull_request.labels.*.name, 'ci-network-scenario'))
     steps:
+      - name: Remove label (one-time use)
+        if: github.event.pull_request && contains(github.event.pull_request.labels.*.name, 'ci-network-scenario')
+        env:
+          GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+        run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-scenario --repo ${{ github.repository }} || true
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -165,7 +171,7 @@ jobs:
             docker_image="aztecprotocol/aztec:${tag}"
           else
             # branch name
-            namespace=pr-$(echo "${{ github.head_ref || github.ref_name }}" | sed 's/[^a-z0-9-]/-/g' | cut -c1-20)
+            namespace=pr-$(echo "${{ github.head_ref || github.ref_name }}" | sed 's/[^a-z0-9-]/-/g' | cut -c1-20 | sed 's/-*$//')
             docker_image=""
           fi
           echo "NAMESPACE=$namespace" >> $GITHUB_ENV
@@ -221,3 +227,36 @@ jobs:
               -H "Content-type: application/json" \
               --data "$data"
           fi
+
+  # KIND-based e2e tests that run on a local Kubernetes cluster.
+  # One-time use: label is removed after the job runs.
+  ci-network-kind:
+    runs-on: ubuntu-latest
+    needs: ci
+    if: github.event.pull_request.head.repo.fork != true && github.event.pull_request.draft == false && contains(github.event.pull_request.labels.*.name, 'ci-network-kind')
+    timeout-minutes: 180 # 3 hours for KIND tests
+    steps:
+      - name: Remove label
+        env:
+          GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+        run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-kind --repo ${{ github.repository }}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Run KIND Test
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          RUN_ID: ${{ github.run_id }}
+          AWS_SHUTDOWN_TIME: 180
+        run: |
+          ./.github/ci3.sh network-tests-kind

.github/workflows/release-canary-pr-update.yml

@@ -9,11 +9,12 @@ on:
       - '**/bootstrap.sh'
       # Anything in ci3 folder
       - 'ci3/**'
+      # Anything in yarn-project
+      - 'yarn-project/**'
 
 env:
   CANARY_BRANCH: ad/chore/ci-release-pr-canary
   PR_TITLE: "no-merge: alpha canary PR"
-  PR_LABEL: ci-release-pr
 
 jobs:
   update-canary-pr:
@@ -31,6 +32,27 @@ jobs:
           git config --global user.name AztecBot
           git config --global user.email tech@aztecprotocol.com
 
+      - name: Detect changed paths
+        id: detect
+        run: |
+          changed_files=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }})
+          echo "Changed files:"
+          echo "$changed_files"
+
+          # Check for bootstrap.sh or ci3/ changes -> ci-release-pr label
+          if echo "$changed_files" | grep -qE '(bootstrap\.sh|^ci3/)'; then
+            echo "release_pr=true" >> $GITHUB_OUTPUT
+          else
+            echo "release_pr=false" >> $GITHUB_OUTPUT
+          fi
+
+          # Check for yarn-project/ changes -> ci-network-kind label
+          if echo "$changed_files" | grep -q '^yarn-project/'; then
+            echo "network_kind=true" >> $GITHUB_OUTPUT
+          else
+            echo "network_kind=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Ensure canary branch and PR exist
         id: ensure-pr
         env:
@@ -52,12 +74,11 @@ jobs:
               --head "$CANARY_BRANCH" \
               --base next \
               --title "$PR_TITLE" \
-              --label "$PR_LABEL" \
               --body "This PR tests certain CI labels periodically. Any failures in this branch log to alpha-team channel with slack.
 
-          This PR is automatically updated when \`**/bootstrap.sh\` or \`ci3/**\` files are pushed to \`next\`.
+          This PR is automatically updated when \`**/bootstrap.sh\`, \`ci3/**\`, or \`yarn-project/**\` files are pushed to \`next\`.
 
-          **Important:** This PR should never be merged. It exists solely to test the \`ci-release-pr\` label.")
+          **Important:** This PR should never be merged. It exists solely to test CI labels.")
 
             pr_number=$(gh pr list --state open --head "$CANARY_BRANCH" --json number --jq '.[0].number')
             echo "Created canary PR #$pr_number"
@@ -102,9 +123,18 @@ jobs:
             git push origin "$CANARY_BRANCH"
             echo "Pushed update to $CANARY_BRANCH"
 
-            # Re-add the ci-release-pr label (it gets removed after each CI run)
-            gh pr edit "$pr_number" --add-label "$PR_LABEL"
-            echo "Re-added $PR_LABEL label to PR #$pr_number"
+            # Add labels based on what changed
+            labels=""
+            if [[ "${{ steps.detect.outputs.release_pr }}" == "true" ]]; then
+              labels="$labels --add-label ci-release-pr"
+            fi
+            if [[ "${{ steps.detect.outputs.network_kind }}" == "true" ]]; then
+              labels="$labels --add-label ci-network-kind"
+            fi
+            if [[ -n "$labels" ]]; then
+              gh pr edit "$pr_number" $labels
+              echo "Added labels to PR #$pr_number: $labels"
+            fi
           else
             echo "Merge conflict detected, aborting"
             git merge --abort

bootstrap.sh

@@ -629,6 +629,16 @@ case "$cmd" in
     export NAMESPACE="$namespace"
     spartan/bootstrap.sh network_tests "${env_file}"
     ;;
+  "ci-network-kind-tests")
+    export CI=1
+    [ "${SKIP_BUILD:-0}" -eq 0 ] && build
+    # Set the docker image to the locally built image and load it into KIND
+    export AZTEC_DOCKER_IMAGE="aztecprotocol/aztec:$(git rev-parse HEAD)"
+    spartan/bootstrap.sh kind
+    kind load docker-image "$AZTEC_DOCKER_IMAGE"
+    # Just one test for now
+    spartan/bootstrap.sh test-kind-upgrade-rollup
+    ;;
   "ci-network-bench")
     # Args: <env_file> <namespace> [docker_image]
     # Deploys network and runs benchmarks. Cleanup should be done separately.
@@ -693,7 +703,7 @@ case "$cmd" in
     export AVM_TRANSPILER=0
     barretenberg/cpp/bootstrap.sh ci
     ;;
-"ci-barretenberg-full")
+  "ci-barretenberg-full")
     export CI=1
     export USE_TEST_CACHE=1
     export AVM=0
@@ -729,6 +739,7 @@ case "$cmd" in
     # Env vars: NETWORK, GCP_PROJECT_ID (for GCP secrets)
     # Args: <registry_address> [KEY=VALUE...]
     export CI=1
+    build
     exec spartan/scripts/deploy_rollup_upgrade.sh "$@"
     ;;
 

ci.sh

@@ -31,6 +31,7 @@ function print_usage {
   echo_cmd "network-tests"         "Spin up an EC2 instance to run tests on a network."
   echo_cmd "network-bench"         "Spin up an EC2 instance to run benchmarks on a network."
   echo_cmd "network-teardown"      "Spin up an EC2 instance to teardown a network deployment."
+  echo_cmd "network-tests-kind"    "Spin up an EC2 instance to run a KIND-based spartan test."
   echo_cmd "deploy-rollup-upgrade" "Spin up an EC2 instance to deploy a rollup upgrade."
   echo_cmd "release"               "Spin up an EC2 instance and run bootstrap release."
   echo_cmd "shell-new"             "Spin up an EC2 instance, clone the repo, and drop into a shell."
@@ -126,6 +127,9 @@ case "$cmd" in
     test_set="${4:-}"
 
     export CI_DASHBOARD="network"
+    # Enough for the build, which should have a lot of caching, and the test harness.
+    # Resources are on GCP.
+    export CPUS=16
     run() {
       local set=$1
       JOB_ID="x-${namespace}-${set}" INSTANCE_POSTFIX="n-deploy-${set}" \
@@ -146,6 +150,9 @@ case "$cmd" in
     export CI_DASHBOARD="network"
     export JOB_ID="x-${2:?namespace is required}-network-deploy"
     export INSTANCE_POSTFIX="n-deploy"
+    # Enough for the build, which should have a lot of caching, and the test harness.
+    # Resources are on GCP.
+    export CPUS=16
     bootstrap_ec2 "./bootstrap.sh ci-network-deploy $*"
     ;;
   network-tests)
@@ -154,14 +161,20 @@ case "$cmd" in
     export JOB_ID="x-${2:?namespace is required}-network-tests"
     export AWS_SHUTDOWN_TIME=360 # 6 hours for network tests
     export INSTANCE_POSTFIX="n-tests"
+    # Enough for the build, which should have a lot of caching, and the test harness.
+    # Resources are on GCP.
+    export CPUS=16
     bootstrap_ec2 "./bootstrap.sh ci-network-tests $*"
     ;;
   network-bench)
     # Args: <scenario> <namespace> [docker_image]
     # If docker_image is not provided, ci-network-bench will build and push to aztecdev.
     export CI_DASHBOARD="network"
-    export JOB_ID="x-${2:?namespace is required}-network-bench" CPUS=16
+    export JOB_ID="x-${2:?namespace is required}-network-bench"
     export INSTANCE_POSTFIX="n-bench"
+    # Enough for the build, which should have a lot of caching, and the test harness.
+    # Resources are on GCP.
+    export CPUS=16
     bootstrap_ec2 "./bootstrap.sh ci-network-bench $*"
     ;;
   network-teardown)
@@ -172,6 +185,15 @@ case "$cmd" in
     export INSTANCE_POSTFIX="n-teardown"
     bootstrap_ec2 "./bootstrap.sh ci-network-teardown $*"
     ;;
+
+  network-tests-kind)
+    # Runs KIND-based spartan tests on a 192 CPU instance.
+    export CI_DASHBOARD="network"
+    export AWS_SHUTDOWN_TIME=180 # 3 hours for KIND tests
+    export CPUS=192
+    export INSTANCE_POSTFIX="n-kind"
+    bootstrap_ec2 "./bootstrap.sh ci-network-kind-tests"
+    ;;
   deploy-rollup-upgrade)
     # Env vars: NETWORK, GCP_PROJECT_ID (for GCP secrets)
     # Args: <registry_address>

ci3/aws_request_instance_type

@@ -88,6 +88,11 @@ fi
 
 aws ec2 create-tags --resources $iid --tags "Key=Name,Value=$name"
 aws ec2 create-tags --resources $iid --tags "Key=Group,Value=build-instance"
+if [ "${UNSAFE_AWS_KEEP_ALIVE:-0}" -eq 1 ]; then
+  echo_stderr "You have set UNSAFE_AWS_KEEP_ALIVE=1, so the instance will not be terminated after 1.5 hours by the reaper script. Make sure you shut the machine down when done."
+  # Tag instance with Keep-Alive=true
+  aws ec2 create-tags --resources $iid --tags "Key=Keep-Alive,Value=true"
+fi
 
 while [ -z "${ip:-}" ]; do
   sleep 1

ci3/bootstrap_ec2

@@ -29,7 +29,7 @@ cores=${CPUS:-$cores}
 
 # Trap function to terminate our running instance when the script exits.
 function cleanup {
-  if [ -d "$state_dir" ]; then
+  if [ -d "${state_dir:-}" ]; then
     aws_terminate_instance $state_dir
   fi
 }

ci3/denoise

@@ -59,7 +59,7 @@ function format_log_output {
   if [ -n "${PARENT_LOG_ID:-}" ]; then
     echo -e "Parent Log: $(ci_term_link $PARENT_LOG_ID)"
   fi
-  echo "Command: $cmd"
+  echo "Command: ${DENOISE_DISPLAY_NAME:-$cmd}"
   echo "Date: $(date)"
   echo "Status: $status"
   echo "Took: ${time}"
@@ -94,7 +94,8 @@ fi
 
 # Dot logging.
 set +e
-echo -e "Executing: $cmd ${log_info:-}"
+display_cmd="${DENOISE_DISPLAY_NAME:-$cmd}"
+echo -e "Executing: $display_cmd ${log_info:-}"
 echo -n "   0 "
 tail --sleep-interval=0.2 -n +1 -f "$outfile" > >(
   while IFS= read -r line; do

docs/bootstrap.sh

@@ -1,10 +1,11 @@
 #!/usr/bin/env bash
 source $(git rev-parse --show-toplevel)/ci3/source_bootstrap
 
-export BB=${BB:-../barretenberg/cpp/build/bin/bb}
-export NARGO=${NARGO:-../noir/noir-repo/target/release/nargo}
-export TRANSPILER=${TRANSPILER:-../avm-transpiler/target/release/avm-transpiler}
-export BB_HASH=${BB_HASH:-$(../barretenberg/cpp/bootstrap.sh hash)}
+repo_root=$(git rev-parse --show-toplevel)
+export BB=${BB:-$repo_root/barretenberg/cpp/build/bin/bb}
+export NARGO=${NARGO:-$repo_root/noir/noir-repo/target/release/nargo}
+export TRANSPILER=${TRANSPILER:-$repo_root/avm-transpiler/target/release/avm-transpiler}
+export BB_HASH=${BB_HASH:-$($repo_root/barretenberg/cpp/bootstrap.sh hash)}
 
 # We search the docs/*.md files to find included code, and use those as our rebuild dependencies.
 # We prefix the results with ^ to make them "not a file", otherwise they'd be interpreted as pattern files.

l1-contracts/.gitignore

@@ -10,6 +10,7 @@ release-out/
 /broadcast/*/11155111/
 /broadcast/*/31337/
 /broadcast/**/dry-run/
+/broadcast/*.sol
 
 # Dotenv file
 .env

l1-contracts/script/deploy/DeployRollupForUpgrade.s.sol

@@ -8,6 +8,7 @@ import {console} from "forge-std/console.sol";
 
 import {IERC20} from "@oz/token/ERC20/IERC20.sol";
 
+import {IInstance} from "@aztec/core/interfaces/IInstance.sol";
 import {IRollup} from "@aztec/core/interfaces/IRollup.sol";
 import {IStaking} from "@aztec/core/interfaces/IStaking.sol";
 
@@ -16,6 +17,8 @@ import {GSE} from "@aztec/governance/GSE.sol";
 import {Registry} from "@aztec/governance/Registry.sol";
 import {IRewardDistributor} from "@aztec/governance/interfaces/IRewardDistributor.sol";
 
+import {RegisterNewRollupVersionPayload} from "@aztec/periphery/RegisterNewRollupVersionPayload.sol";
+
 import {DeployRollupLib, RollupAddressInput, RollupAddressOutput} from "./DeployRollupLib.sol";
 import {IRollupConfiguration, RollupConfiguration} from "./RollupConfiguration.sol";
 
@@ -33,11 +36,19 @@ contract DeployRollupForUpgrade is Script {
   /// @notice Rollup deployment output
   RollupAddressOutput internal _rollupOutput;
 
+  /// @notice Governance payload for registering the new rollup version
+  RegisterNewRollupVersionPayload internal _payload;
+
   /// @notice Get rollup deployment output
   function rollupOutput() external view returns (RollupAddressOutput memory) {
     return _rollupOutput;
   }
 
+  /// @notice Get the deployed governance payload
+  function payload() external view returns (RegisterNewRollupVersionPayload) {
+    return _payload;
+  }
+
   /// @notice Deploy rollup and write output to stdout
   function run() public {
     RollupAddressInput memory input = _getRollupAddressInput();
@@ -46,9 +57,14 @@ contract DeployRollupForUpgrade is Script {
 
     vm.startBroadcast(input.deployer);
     _rollupOutput = DeployRollupLib.deployRollup(input, rollupConfig);
+
+    // Deploy governance payload for registering this rollup via governance
+    _payload = new RegisterNewRollupVersionPayload(input.registry, IInstance(address(_rollupOutput.rollup)));
     vm.stopBroadcast();
 
-    string memory finalJson = DeployRollupLib.writeRollupAddressesToJson(vm, "rollup", _rollupOutput);
+    // Write base rollup addresses to JSON, then add payload address
+    DeployRollupLib.writeRollupAddressesToJson(vm, "rollup", _rollupOutput);
+    string memory finalJson = vm.serializeAddress("rollup", "payloadAddress", address(_payload));
     console.log("JSON DEPLOY RESULT:", finalJson);
   }
 

l1-contracts/scripts/run_rollup_upgrade.sh

@@ -20,10 +20,10 @@ echo "=== Deploying rollup upgrade ==="
 echo "Registry: $registry_address"
 
 REGISTRY_ADDRESS="$registry_address" \
-REAL_VERIFIER="${REAL_VERIFIER:-true}" \
-forge script script/deploy/DeployRollupForUpgrade.s.sol:DeployRollupForUpgrade \
-  --rpc-url "$L1_RPC_URL" \
-  --private-key "$ROLLUP_DEPLOYMENT_PRIVATE_KEY" \
-  --broadcast \
-  ${ETHERSCAN_API_KEY:+--verify} \
+     REAL_VERIFIER="${REAL_VERIFIER:-true}" \
+     forge script script/deploy/DeployRollupForUpgrade.s.sol:DeployRollupForUpgrade \
+       --rpc-url "$L1_RPC_URL" \
+       --private-key "$ROLLUP_DEPLOYMENT_PRIVATE_KEY" \
+       --broadcast \
+       ${ETHERSCAN_API_KEY:+--verify} \
   -vvv