From 539a864c5d5f97c0a646ef85d1232202c4caa59f Mon Sep 17 00:00:00 2001
From: VolodymyrBg <aqdrgg19@gmail.com>
Date: Sun, 24 Aug 2025 18:59:04 +0300
Subject: [PATCH 1/2] fix: correct array indexing in commitment functions to
 prevent out-of-bounds access

---
 src/noir/lib/commitment/common/src/lib.nr | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/noir/lib/commitment/common/src/lib.nr b/src/noir/lib/commitment/common/src/lib.nr
index 9d74e4135..267107c67 100644
--- a/src/noir/lib/commitment/common/src/lib.nr
+++ b/src/noir/lib/commitment/common/src/lib.nr
@@ -207,7 +207,8 @@ pub fn hash_salt_dg1_private_nullifier<let N: u32>(
     for i in 0..((N + 30) / 31) {
         result[1 + i] = packed_dg1[i];
     }
-    result[1 + ((N + 30) / 31)] = private_nullifier;
+    // Store private_nullifier in the last field position
+    result[1 + ((N + 30) / 31) - 1] = private_nullifier;
     Poseidon2::hash(result, 2 + ((N + 30) / 31))
 }
 
@@ -234,6 +235,8 @@ pub fn calculate_private_nullifier<let DG1: u32, let ECONTENT: u32, let SIG: u32
     for i in 0..((SIG + 30) / 31) {
         result[(DG1 + 30) / 31 + ((ECONTENT + 30) / 31) + i] = packed_sod_sig[i];
     }
+    // Store sod_sig in the last field position
+    result[(DG1 + 30) / 31 + ((ECONTENT + 30) / 31) + ((SIG + 30) / 31) - 1] = sod_sig;
 
     Poseidon2::hash(
         result,
@@ -277,7 +280,8 @@ pub fn hash_salt_country_signed_attr_dg1_e_content_private_nullifier<let SA: u32
     for i in 0..((ECONTENT + 30) / 31) {
         result[3 + (SA + 30) / 31 + ((DG1 + 30) / 31) + i] = packed_e_content[i];
     }
-    result[3 + (SA + 30) / 31 + ((DG1 + 30) / 31) + ((ECONTENT + 30) / 31)] = private_nullifier;
+    // Store private_nullifier in the last field position
+    result[3 + (SA + 30) / 31 + ((DG1 + 30) / 31) + ((ECONTENT + 30) / 31) - 1] = private_nullifier;
 
     Poseidon2::hash(
         result,
@@ -286,7 +290,7 @@ pub fn hash_salt_country_signed_attr_dg1_e_content_private_nullifier<let SA: u32
 }
 
 // Returns the merkle root of the tree from the provided leaf, index and hash_path, using the Poseidon2 hash function
-// Arity is expected to be 2 and the the tree depth is equal to the hash_path array length
+// Arity is expected to be 2 and the tree depth is equal to the hash_path array length
 pub fn compute_merkle_root<let N: u32>(leaf: Field, index: Field, hash_path: [Field; N]) -> Field {
     let index_bits: [u1; N] = index.to_le_bits();
     let mut current = leaf;

From 2214f7a21f2771386f319ae4492dd485f0ccf2a5 Mon Sep 17 00:00:00 2001
From: Michael Elliot <michael@digital.com.au>
Date: Tue, 26 Aug 2025 10:45:11 +0800
Subject: [PATCH 2/2] ci: Add GitHub Actions workflow (#89)

* ci: add GitHub Actions workflow

* ci: install bb 1.0.0-nightly.20250723
---
 .circleci/config.yml       | 123 -------------------------------------
 .github/workflows/test.yml |  72 ++++++++++++++++++++++
 2 files changed, 72 insertions(+), 123 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/workflows/test.yml

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index 595a1b978..000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,123 +0,0 @@
-# Use the latest 2.1 version of CircleCI pipeline processing engine, see https://circleci.com/docs/2.0/configuration-reference/
-version: 2.1
-
-parameters:
-  noir_version:
-    type: string
-    default: "1.0.0-beta.8"
-  bb_version:
-    type: string
-    default: "1.0.0"
-
-defaults: &defaults
-  working_directory: ~/repo
-  # https://circleci.com/docs/2.0/circleci-images/#language-image-variants
-  docker:
-    - image: cimg/node:24.3.0
-      environment:
-        TERM: xterm # Enable colors in term
-  resource_class: large
-
-jobs:
-  checkout:
-    <<: *defaults
-    steps:
-      - checkout
-      - run:
-          name: Install Noir
-          command: |
-            curl -sSL https://raw.githubusercontent.com/noir-lang/noirup/refs/heads/main/install | bash || true
-            echo 'export PATH="/home/circleci/.nargo/bin:$PATH"' >> $BASH_ENV
-            source $BASH_ENV
-            noirup -v << pipeline.parameters.noir_version >>
-            /home/circleci/.nargo/bin/nargo -V
-      - save_cache:
-          paths:
-            - /home/circleci/.nargo
-          key: nargo-cache-<< pipeline.parameters.noir_version >>
-
-      - run:
-          name: Install BB
-          command: |
-            curl -L https://raw.githubusercontent.com/AztecProtocol/aztec-packages/refs/heads/master/barretenberg/bbup/install | bash || true
-            echo 'export PATH="/home/circleci/.bb:$PATH"' >> $BASH_ENV
-            source $BASH_ENV
-            bbup -v << pipeline.parameters.bb_version >>
-            /home/circleci/.bb/bb --version
-      - save_cache:
-          paths:
-            - /home/circleci/.bb
-          key: bb-cache-<< pipeline.parameters.bb_version >>
-
-      - restore_cache:
-          keys:
-            - node-deps-{{ checksum "package-lock.json" }}
-            - node-deps-
-      - run:
-          name: Install npm dependencies
-          command: |
-            npm ci
-      - save_cache:
-          paths:
-            - node_modules
-          key: node-deps-{{ checksum "package-lock.json" }}
-      - persist_to_workspace:
-          root: ~/repo
-          paths: .
-
-  lint:
-    <<: *defaults
-    steps:
-      - restore_cache:
-          keys:
-            - nargo-cache-<< pipeline.parameters.noir_version >>
-      - attach_workspace:
-          at: ~/repo
-      - run: PATH=/home/circleci/.nargo/bin:$PATH npm run lint
-
-  noir_tests:
-    <<: *defaults
-    steps:
-      - restore_cache:
-          keys:
-            - nargo-cache-<< pipeline.parameters.noir_version >>
-      - attach_workspace:
-          at: ~/repo
-      - run: /home/circleci/.nargo/bin/nargo test --package utils
-      - run: /home/circleci/.nargo/bin/nargo test --package commitment_common
-
-  test_circuits:
-    <<: *defaults
-    steps:
-      - restore_cache:
-          keys:
-            - nargo-cache-<< pipeline.parameters.noir_version >>
-      - restore_cache:
-          keys:
-            - bb-cache-<< pipeline.parameters.bb_version >>
-      - attach_workspace:
-          at: ~/repo
-      - run:
-          name: Compile circuits
-          command: |
-            PATH=/home/circleci/.nargo/bin:$PATH ~/repo/scripts/ci-compile-circuits.sh
-      - run:
-          name: Integration tests
-          command: |
-            PATH=/home/circleci/.bb:$PATH npm test circuits.test.ts
-
-workflows:
-  version: 2
-
-  test:
-    jobs:
-      - checkout
-      - lint:
-          requires:
-            - checkout
-      - noir_tests:
-          requires:
-            - checkout
-      - test_circuits:
-          requires:
-            - checkout
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..da6676fa3
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,72 @@
+name: Test
+
+on:
+  push:
+  pull_request:
+    types: [opened, reopened, ready_for_review]
+
+env:
+  NOIR_VERSION: "1.0.0-beta.8"
+  BB_VERSION: "1.0.0-nightly.20250723"
+  NODE_VERSION: "24.3.0"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install nargo
+        uses: noir-lang/noirup@v0.1.4
+        with:
+          toolchain: ${{ env.NOIR_VERSION }}
+
+      - name: Install bb
+        run: |
+          curl -L https://raw.githubusercontent.com/AztecProtocol/aztec-packages/refs/heads/master/barretenberg/bbup/install | bash || true
+          echo /home/runner/.bb >> $GITHUB_PATH
+          /home/runner/.bb/bbup -v ${{ env.BB_VERSION }}
+          /home/runner/.bb/bb --version
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Install npm dependencies
+        run: npm ci
+
+      - name: Run lint
+        run: npm run lint
+
+      - name: Run noir tests
+        run: |
+          nargo test --package utils
+          nargo test --package commitment_common
+
+      - name: Calculate cache key for compiled circuits
+        id: circuits-cache-key
+        run: echo "cache-key=$(find src/noir/{bin,lib} -type f -name "*.nr" -exec sha256sum {} + | sha256sum | awk '{print $1}')" >> $GITHUB_OUTPUT
+
+      - name: Restore circuits cache
+        uses: actions/cache/restore@v4
+        id: circuits-cache
+        with:
+          path: target
+          key: circuits-${{ steps.circuits-cache-key.outputs.cache-key }}
+
+      - name: Compile circuits
+        if: steps.circuits-cache.outputs.cache-hit != 'true'
+        run: ./scripts/ci-compile-circuits.sh
+
+      - name: Save circuits cache
+        uses: actions/cache/save@v4
+        if: steps.circuits-cache.outputs.cache-hit != 'true'
+        with:
+          path: target
+          key: circuits-${{ steps.circuits-cache-key.outputs.cache-key }}
+
+      - name: Run integration tests
+        run: npm run test