ci-skip: add CodeQL #662
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Linux and MacOS tests | |
permissions: | |
contents: read | |
on: [ push, pull_request ] | |
jobs: | |
stylecheck: | |
name: Check code formatting | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Ensure code conventions are upheld | |
run: python3 -m pytest --verbose tests/test_code_conventions.py | |
- name: Check that doxygen can parse the documentation | |
run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build | |
- name: Validate CBOM | |
run: scripts/validate_cbom.sh | |
upstreamcheck: | |
name: Check upstream code is properly integrated | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Verify copy_from_upstream state | |
run: | | |
git config --global user.name "ciuser" && \ | |
git config --global user.email "[email protected]" && \ | |
export LIBOQS_DIR=`pwd` && \ | |
git config --global --add safe.directory $LIBOQS_DIR && \ | |
cd scripts/copy_from_upstream && \ | |
! pip3 install --require-hashes -r requirements.txt 2>&1 | grep ERROR && \ | |
python3 copy_from_upstream.py copy && \ | |
! git status | grep modified | |
buildcheck: | |
name: Check that code passes a basic build before starting heavier tests | |
needs: [ stylecheck, upstreamcheck ] | |
strategy: | |
matrix: | |
include: | |
- arch: arm64 | |
runner: oqs-arm64 | |
- arch: x86_64 | |
runner: ubuntu-latest | |
runs-on: ${{ matrix.runner }} | |
container: openquantumsafe/ci-ubuntu-focal-${{ matrix.arch }}:latest | |
env: | |
KEM_NAME: kyber_768 | |
SIG_NAME: dilithium_3 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Configure | |
run: | | |
mkdir build && \ | |
cd build && \ | |
cmake .. --warn-uninitialized \ | |
-GNinja \ | |
-DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ | |
> config.log 2>&1 && \ | |
cat config.log && \ | |
cmake -LA -N .. && \ | |
! (grep "uninitialized variable" config.log) | |
- name: Build code | |
run: ninja | |
working-directory: build | |
- name: Build documentation | |
run: ninja gen_docs | |
working-directory: build | |
if: matrix.arch == 'x86_64' | |
linux: | |
needs: buildcheck | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: arm64 | |
runner: oqs-arm64 | |
container: openquantumsafe/ci-ubuntu-focal-arm64:latest | |
PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py | |
CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON | |
- name: alpine | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-alpine-amd64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
- name: alpine-no-stfl-key-sig-gen | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-alpine-amd64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
- name: alpine-openssl-all | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-alpine-amd64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
- name: alpine-noopenssl | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-alpine-amd64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
- name: focal-nistr4-openssl | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_R4 | |
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: focal-nistonramp-openssl | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_SIG_ONRAMP | |
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: focal-noopenssl | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF | |
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: focal-shared-noopenssl | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON | |
PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: focal-clang15 | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang-15 | |
PYTEST_ARGS: --ignore=tests/test_kat_all.py | |
- name: jammy-std-openssl3 | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-jammy:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON | |
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: jammy-std-openssl3-dlopen | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-jammy:latest | |
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON | |
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
- name: address-sanitizer | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 | |
- name: address-sanitizer-no-stfl-key-sig-gen | |
runner: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 | |
runs-on: ${{ matrix.runner }} | |
container: | |
image: ${{ matrix.container }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Configure | |
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. | |
- name: Build | |
run: ninja | |
working-directory: build | |
- name: Run tests | |
timeout-minutes: 60 | |
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --numprocesses=auto ${{ matrix.PYTEST_ARGS }} | |
- name: Package .deb | |
if: matrix.name == 'jammy-std-openssl3' | |
run: cpack | |
working-directory: build | |
- name: Retain .deb file | |
if: matrix.name == 'jammy-std-openssl3' | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 | |
with: | |
name: liboqs-openssl3-shared-x64 | |
path: build/*.deb | |
- name: Check STD algorithm and alias | |
if: matrix.name == 'jammy-std-openssl3' | |
run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512-ipd:\n isnull: true"' | |
working-directory: build | |
linux_arm_emulated: | |
needs: buildcheck | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: armhf | |
ARCH: armhf | |
CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
- name: armhf-no-stfl-key-sig-gen | |
ARCH: armhf | |
CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py | |
# no longer supporting armel | |
# - name: armel | |
# ARCH: armel | |
# CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Install the emulation handlers | |
run: docker run --rm --privileged multiarch/qemu-user-static:register --reset | |
- name: Build in an x86_64 container | |
run: | | |
docker run --rm \ | |
-v `pwd`:`pwd` \ | |
-w `pwd` \ | |
openquantumsafe/ci-debian-buster-amd64:latest /bin/bash \ | |
-c "mkdir build && \ | |
(cd build && \ | |
cmake .. -GNinja ${{ matrix.CMAKE_ARGS }} \ | |
-DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_${{ matrix.ARCH }}.cmake && \ | |
cmake -LA -N .. && \ | |
ninja)" | |
- name: Run the tests in an ${{ matrix.ARCH }} container | |
timeout-minutes: 60 | |
run: | | |
docker run --rm -e SKIP_TESTS=style,mem_kem,mem_sig \ | |
-v `pwd`:`pwd` \ | |
-w `pwd` \ | |
openquantumsafe/ci-debian-buster-${{ matrix.ARCH }}:latest /bin/bash \ | |
-c "mkdir -p tmp && \ | |
python3 -m pytest --verbose \ | |
--numprocesses=auto \ | |
--ignore=tests/test_code_conventions.py ${{ matrix.PYTEST_ARGS }}" | |
linux_cross_compile: | |
needs: buildcheck | |
runs-on: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: windows-binaries | |
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake | |
- name: windows-dll | |
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Configure | |
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. | |
- name: Build | |
run: ninja | |
working-directory: build | |
macos: | |
needs: buildcheck | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
# macos-14 runs on aarch64; the others run on x64 | |
- macos-12 | |
- macos-13 | |
- macos-14 | |
CMAKE_ARGS: | |
- -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON | |
- -DCMAKE_C_COMPILER=gcc-13 | |
- -DOQS_USE_OPENSSL=OFF | |
- -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Install Python | |
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 | |
with: | |
python-version: '3.12' | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Install dependencies | |
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt | |
- name: Patch GCC | |
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula [email protected] | |
- name: Get system information | |
run: sysctl -a | grep machdep.cpu | |
- name: Configure | |
run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. | |
- name: Build | |
run: ninja | |
working-directory: build | |
- name: Run tests | |
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py ${{ matrix.PYTEST_ARGS }} | |
timeout-minutes: 60 | |
linux_openssl330-dev: | |
needs: buildcheck | |
runs-on: ubuntu-latest | |
container: | |
image: openquantumsafe/ci-ubuntu-jammy:latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
- name: Retrieve OpenSSL330 from cache | |
id: cache-openssl330 | |
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 | |
with: | |
path: .localopenssl330 | |
key: ${{ runner.os }}-openssl330 | |
- name: Checkout the OpenSSL v3.3.0 commit | |
if: steps.cache-openssl330.outputs.cache-hit != 'true' | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | |
with: | |
repository: 'openssl/openssl' | |
ref: 'openssl-3.3.0-beta1' | |
path: openssl | |
- name: Prepare the OpenSSL build directory | |
if: steps.cache-openssl330.outputs.cache-hit != 'true' | |
run: mkdir .localopenssl330 | |
working-directory: openssl | |
- name: Build openssl3 if not cached | |
if: steps.cache-openssl330.outputs.cache-hit != 'true' | |
run: | | |
./config --prefix=`pwd`/../.localopenssl330 && make -j 4 && make install_sw install_ssldirs | |
working-directory: openssl | |
- name: Save OpenSSL | |
id: cache-openssl-save | |
if: steps.cache-openssl330.outputs.cache-hit != 'true' | |
uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3 | |
with: | |
path: | | |
.localopenssl330 | |
key: ${{ runner.os }}-openssl330 | |
- name: Configure | |
run: mkdir build && cd build && cmake -GNinja -DOQS_STRICT_WARNINGS=ON -DOPENSSL_ROOT_DIR=../.localopenssl330 -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON .. && cmake -LA -N .. | |
- name: Build | |
run: ninja | |
working-directory: build | |
- name: Run tests | |
timeout-minutes: 60 | |
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py | |
scan_build: | |
needs: buildcheck | |
runs-on: ubuntu-latest | |
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Configure | |
run: mkdir build && cd build && scan-build-15 cmake -GNinja .. | |
- name: Build | |
run: scan-build-15 --status-bugs ninja | |
working-directory: build |