From 493c570a403e899c218f0dc223fad65a20c31ca8 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Mon, 26 Aug 2024 13:01:51 -0400 Subject: [PATCH 01/41] Add reusable workflow for basic checks Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 84 +++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/basic.yml diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml new file mode 100644 index 000000000..df5f027cd --- /dev/null +++ b/.github/workflows/basic.yml @@ -0,0 +1,84 @@ +name: Basic checks + +permissions: + contents: read + +on: + push: + workflow_call: + + +jobs: + + stylecheck: + name: Check code formatting + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Ensure code conventions are upheld + run: python3 -m pytest --verbose tests/test_code_conventions.py + - name: Check that doxygen can parse the documentation + run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build + - name: Validate CBOM + run: scripts/validate_cbom.sh + + upstreamcheck: + name: Check upstream code is properly integrated + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Setup nix + uses: cachix/install-nix-action@v26 + - name: Setup jasmin-compiler + run: | + nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs && \ + nix-channel --update && nix-env -iA nixpkgs.jasmin-compiler + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: | + git config --global user.name "ciuser" && \ + git config --global user.email "ci@openquantumsafe.org" && \ + git config --global --add safe.directory . && \ + cd scripts/copy_from_upstream && \ + ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR 77 \ + echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" + - name: Verify copy_from_upstream state after copy + run: | + python3 copy_from_upstream.py copy && \ + ! git status | grep -i modified + - name: Verify copy_from_upstream state after libjade + run: | + python3 copy_from_upstream.py libjade && \ + ! git status | grep -i modified + + buildcheck: + name: Check that code passes a basic build + needs: [ stylecheck, upstreamcheck ] + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + env: + KEM_NAME: ml_kem_768 + SIG_NAME: ml_dsa_65 + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: | + mkdir build && \ + cd build && \ + cmake .. --warn-uninitialized \ + -GNinja \ + -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ + > config.log 2>&1 && \ + cat config.log && \ + cmake -LA -N .. && \ + ! (grep -i "uninitialized variable" config.log) + - name: Build code + run: ninja + working-directory: build + - name: Build documentation + run: ninja gen_docs + working-directory: build From bfd75aaa1b9aa4de077e5508a4ea37f621d902ed Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Mon, 26 Aug 2024 13:07:34 -0400 Subject: [PATCH 02/41] Add PR tests workflow that calls the basic checks Signed-off-by: Spencer Wilson --- .github/workflows/pr-tests.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/workflows/pr-tests.yml diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml new file mode 100644 index 000000000..77dc2f1c4 --- /dev/null +++ b/.github/workflows/pr-tests.yml @@ -0,0 +1,10 @@ +name: Pull request tests + +permissions: + contents: read + +on: [pull_request, workflow_dispatch] + +jobs: + basic-checks: + uses: ./.github/workflows/basic.yml From 11167836b135ea18f06c0d45a6f0b1377ef2d2e5 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Mon, 26 Aug 2024 13:12:20 -0400 Subject: [PATCH 03/41] Run in Focal container (revert later) Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index df5f027cd..c360f2637 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -13,7 +13,7 @@ jobs: stylecheck: name: Check code formatting runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-latest:latest + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -27,7 +27,7 @@ jobs: upstreamcheck: name: Check upstream code is properly integrated runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-latest:latest + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest steps: - name: Setup nix uses: cachix/install-nix-action@v26 @@ -58,7 +58,7 @@ jobs: name: Check that code passes a basic build needs: [ stylecheck, upstreamcheck ] runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-latest:latest + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest env: KEM_NAME: ml_kem_768 SIG_NAME: ml_dsa_65 From b71d770a1227d3b3a96cc60ae1e0df412c259e64 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 10:00:08 -0400 Subject: [PATCH 04/41] Fix missing arg in copy_from_upstream Signed-off-by: Spencer Wilson --- scripts/copy_from_upstream/copy_from_upstream.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/copy_from_upstream/copy_from_upstream.py b/scripts/copy_from_upstream/copy_from_upstream.py index 6cd9b12ec..85eebf96b 100755 --- a/scripts/copy_from_upstream/copy_from_upstream.py +++ b/scripts/copy_from_upstream/copy_from_upstream.py @@ -123,7 +123,7 @@ def replacer_contextual(destination_file_path, template_file_path, delimiter, fa contents = preamble + identifier_start + jinja2.Template(template).render(f) + postamble file_put_contents(destination_file_path, contents) -def load_instructions(file): +def load_instructions(file='copy_from_upstream.yml'): instructions = file_get_contents( os.path.join(os.environ['LIBOQS_DIR'], 'scripts', 'copy_from_upstream', file), encoding='utf-8') From 524ac16b7f1dabd54d89e78381d80b3e2566d906 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 10:54:50 -0400 Subject: [PATCH 05/41] Fix working directory Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index c360f2637..27faa7372 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -43,13 +43,15 @@ jobs: git config --global user.email "ci@openquantumsafe.org" && \ git config --global --add safe.directory . && \ cd scripts/copy_from_upstream && \ - ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR 77 \ + ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR && \ echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" - name: Verify copy_from_upstream state after copy + working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py copy && \ ! git status | grep -i modified - name: Verify copy_from_upstream state after libjade + working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py libjade && \ ! git status | grep -i modified From e03268549f8c5f1a543bbdf2044e2145e6e6d71a Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 11:06:48 -0400 Subject: [PATCH 06/41] Debug environment var Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 27faa7372..694adbf2b 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -42,9 +42,9 @@ jobs: git config --global user.name "ciuser" && \ git config --global user.email "ci@openquantumsafe.org" && \ git config --global --add safe.directory . && \ + echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" && \ cd scripts/copy_from_upstream && \ - ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR && \ - echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" + ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR - name: Verify copy_from_upstream state after copy working-directory: 'scripts/copy_from_upstream' run: | From d472ed209592b89ccf2ddbf59ae7827c4e3bdd12 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 11:42:56 -0400 Subject: [PATCH 07/41] Run PR tests on push for testing purposes Signed-off-by: Spencer Wilson --- .github/workflows/pr-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 77dc2f1c4..e541ce129 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -3,7 +3,7 @@ name: Pull request tests permissions: contents: read -on: [pull_request, workflow_dispatch] +on: [push, pull_request, workflow_dispatch] jobs: basic-checks: From d37f82fe7f9da6df35a43f01d06a6c956139a96d Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 11:59:25 -0400 Subject: [PATCH 08/41] Run android, ios, windows, and zephyr tests on PR Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson --- .github/workflows/android.yml | 2 +- .github/workflows/apple.yml | 2 +- .github/workflows/pr-tests.yml | 12 ++++++++++++ .github/workflows/windows.yml | 2 +- .github/workflows/zephyr.yml | 2 +- 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 459c0e32e..e13242b7e 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -3,7 +3,7 @@ name: android build permissions: contents: read -on: [ push, pull_request ] +on: workflow_call jobs: diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml index 3c11bc3e7..3bc602212 100644 --- a/.github/workflows/apple.yml +++ b/.github/workflows/apple.yml @@ -3,7 +3,7 @@ name: apple build permissions: contents: read -on: [ push, pull_request ] +on: workflow_call jobs: diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index e541ce129..9a700bae8 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -8,3 +8,15 @@ on: [push, pull_request, workflow_dispatch] jobs: basic-checks: uses: ./.github/workflows/basic.yml + android-tests: + needs: basic-checks + uses: ./.github/workflows/android.yml + ios-tests: + needs: basic-checks + uses: ./.github/workflows/apple.yml + windows-tests: + needs: basic-checks + uses: ./.github/workflows/windows.yml + zephyr-tests: + needs: basic-checks + uses: ./.github/workflows/zephyr.yml diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index df4eeab1e..c143c3e67 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -3,7 +3,7 @@ name: Windows tests permissions: contents: read -on: [ push, pull_request ] +on: workflow_call jobs: diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index d18d148e8..1ab104d38 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -3,7 +3,7 @@ name: Zephyr tests permissions: contents: read -on: [push, pull_request] +on: workflow_call jobs: From b74957c1c4790e76fda84df9d417016e5204ac4f Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 13:21:27 -0400 Subject: [PATCH 09/41] Add workflow_dispatch triggers for individual PR tests Signed-off-by: Spencer Wilson --- .github/workflows/android.yml | 2 +- .github/workflows/apple.yml | 2 +- .github/workflows/windows.yml | 2 +- .github/workflows/zephyr.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index e13242b7e..60847ff57 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -3,7 +3,7 @@ name: android build permissions: contents: read -on: workflow_call +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml index 3bc602212..38671cc2c 100644 --- a/.github/workflows/apple.yml +++ b/.github/workflows/apple.yml @@ -3,7 +3,7 @@ name: apple build permissions: contents: read -on: workflow_call +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index c143c3e67..e7dee4166 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -3,7 +3,7 @@ name: Windows tests permissions: contents: read -on: workflow_call +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index 1ab104d38..73d034259 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -3,7 +3,7 @@ name: Zephyr tests permissions: contents: read -on: workflow_call +on: [workflow_call, workflow_dispatch] jobs: From 958a4c2a139eea9da3e5d328fcad8f614dfcb18b Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 13:55:51 -0400 Subject: [PATCH 10/41] Add macos tests to PR runs Signed-off-by: Spencer Wilson --- .github/workflows/macos.yml | 64 ++++++++++++++++++++++++++++++++++ .github/workflows/pr-tests.yml | 3 ++ 2 files changed, 67 insertions(+) create mode 100644 .github/workflows/macos.yml diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml new file mode 100644 index 000000000..75c1bb488 --- /dev/null +++ b/.github/workflows/macos.yml @@ -0,0 +1,64 @@ +name: MacOS tests + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +env: + # Semi-colon separated list of algorithims with libjade implementations to + # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + # See CONFIGURE.md under ## OQS_MINIMAL_BUILD + LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" + +jobs: + + macos: + strategy: + fail-fast: false + matrix: + os: + # macos-14 runs on aarch64; the others run on x64 + - macos-12 + - macos-13 + - macos-14 + CMAKE_ARGS: + - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + - -DCMAKE_C_COMPILER=gcc-13 + - -DOQS_USE_OPENSSL=OFF + - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF + libjade-build: + - -DOQS_LIBJADE_BUILD=OFF + # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by + # libjade to minimise repeated tests + - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + exclude: + # macos-14 runs on aarch64, libjade targets x86 + # Skip testing libjade on macos-14 + - os: macos-14 + libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + # No point in testing stateful sigs with minimal libjade build + - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + runs-on: ${{ matrix.os }} + steps: + - name: Install Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 + with: + python-version: '3.12' + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Install dependencies + run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt + - name: Patch GCC + run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb + - name: Get system information + run: sysctl -a | grep machdep.cpu + - name: Configure + run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} ${{ matrix.libjade-build }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py + timeout-minutes: 60 diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 9a700bae8..84d850b99 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -14,6 +14,9 @@ jobs: ios-tests: needs: basic-checks uses: ./.github/workflows/apple.yml + macos-tests: + needs: basic-checks + uses: ./.github/workflows/macos.yml windows-tests: needs: basic-checks uses: ./.github/workflows/windows.yml From d6379de70ab15955db686584def5ee0d7af9f20a Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 14:02:50 -0400 Subject: [PATCH 11/41] Run scorecard in PR tests Signed-off-by: Spencer Wilson --- .github/workflows/pr-tests.yml | 3 +++ .github/workflows/scorecard.yml | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 84d850b99..d2f44ddd4 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -23,3 +23,6 @@ jobs: zephyr-tests: needs: basic-checks uses: ./.github/workflows/zephyr.yml + scorecard: + needs: basic-checks + uses: ./.github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ff54bf3f2..f404c615e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -5,14 +5,15 @@ permissions: read-all on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: # To guarantee Maintained check is occasionally updated. See - + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '29 9 * * 4' push: branches: [ "main" ] - pull_request: + workflow_call: + workflow_dispatch: jobs: analysis: From 572eba4c760ef9fab4f59aa1dd7f23d7a491fb08 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 16:16:36 -0400 Subject: [PATCH 12/41] Finish refactor and add documentation Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 5 +- .github/workflows/commit-to-main.yml | 91 ++---------- .github/workflows/downstream-basic.yml | 78 ++++++++++ ...elease-test.yml => downstream-release.yml} | 16 +- .github/workflows/extended.yml | 80 ++++++++++ .github/workflows/{unix.yml => linux.yml} | 140 +----------------- .github/workflows/platforms.yml | 26 ++++ .github/workflows/pr-tests.yml | 28 ---- .github/workflows/pr.yml | 19 +++ .github/workflows/push.yml | 28 ++++ .github/workflows/release.yml | 16 ++ .github/workflows/scorecard.yml | 6 - .github/workflows/weekly.yml | 80 +--------- CI.md | 101 +++++++++++++ CONTRIBUTING.md | 2 + 15 files changed, 377 insertions(+), 339 deletions(-) create mode 100644 .github/workflows/downstream-basic.yml rename .github/workflows/{release-test.yml => downstream-release.yml} (63%) create mode 100644 .github/workflows/extended.yml rename .github/workflows/{unix.yml => linux.yml} (72%) create mode 100644 .github/workflows/platforms.yml delete mode 100644 .github/workflows/pr-tests.yml create mode 100644 .github/workflows/pr.yml create mode 100644 .github/workflows/push.yml create mode 100644 .github/workflows/release.yml create mode 100644 CI.md diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 694adbf2b..c67af1dd4 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -3,10 +3,7 @@ name: Basic checks permissions: contents: read -on: - push: - workflow_call: - +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index 92e73bd35..ab381689f 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -1,88 +1,19 @@ -name: Trigger basic downstream CI +name: Main branch tests permissions: contents: read on: push: - branches: [ "main" ] + branches: ['main'] jobs: - trigger-downstream-ci: - strategy: - fail-fast: false - runs-on: ubuntu-latest - steps: - # TODO: missing projects? - - name: Trigger OQS-OpenSSL CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "OQS-OpenSSL_1_1_1-stable", "parameters": { "run_downstream_tests": true } }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/openssl/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger OQS-BoringSSL CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master", "parameters": { "run_downstream_tests": true } }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/boringssl/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger OQS-OpenSSH CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --request POST \ - --header "Accept: application/vnd.github+json" \ - --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ - --header "X-GitHub-Api-Version: 2022-11-28" \ - --data '{"ref":"OQS-v9"}' \ - https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \ - && grep -q "204" curl_out - - name: Trigger oqs-provider CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "main" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-dotnet CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-dotnet/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-java CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-java/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-python CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --request POST \ - --header "Accept: application/vnd.github+json" \ - --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ - --header "X-GitHub-Api-Version: 2022-11-28" \ - --data '{"event_type":"liboqs-upstream-trigger"}' \ - https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \ - && grep -q "204" curl_out + + platform-tests: + uses: ./.github/workflows/platforms.yml + + scorecard: + uses: ./.github/workflows/scorecard.yml + + basic-downstream: + uses: ./.github/workflows/downstream-basic.yml diff --git a/.github/workflows/downstream-basic.yml b/.github/workflows/downstream-basic.yml new file mode 100644 index 000000000..87b66efe8 --- /dev/null +++ b/.github/workflows/downstream-basic.yml @@ -0,0 +1,78 @@ +name: Trigger basic downstream CI + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + trigger-downstream-ci: + strategy: + fail-fast: false + runs-on: ubuntu-latest + steps: + - name: Trigger OQS-BoringSSL CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ + --request POST \ + --header "Content-Type: application/json" \ + --data '{ "branch": "master", "parameters": { "run_downstream_tests": true } }' \ + https://circleci.com/api/v2/project/gh/open-quantum-safe/boringssl/pipeline | tee curl_out \ + && grep -q "201" curl_out + - name: Trigger OQS-OpenSSH CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"ref":"OQS-v9"}' \ + https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger oqs-provider CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ + --request POST \ + --header "Content-Type: application/json" \ + --data '{ "branch": "main" }' \ + https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \ + && grep -q "201" curl_out + - name: Trigger liboqs-cpp CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-cpp/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger liboqs-go CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-go/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger liboqs-python CI + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \ + && grep -q "204" curl_out diff --git a/.github/workflows/release-test.yml b/.github/workflows/downstream-release.yml similarity index 63% rename from .github/workflows/release-test.yml rename to .github/workflows/downstream-release.yml index 2a4addd54..6acf12bee 100644 --- a/.github/workflows/release-test.yml +++ b/.github/workflows/downstream-release.yml @@ -1,23 +1,17 @@ -name: Release tests +name: Downstream release tests permissions: contents: read +on: [workflow_call, workflow_dispatch] + # Trigger oqs-provider release tests. -# Runs whenever a release is published, or when a commit message ends with "[trigger downstream]" -# When triggered by a release, the liboqs release tag and the provider "-tracker" branch are used. -# When triggered by a commit message, the triggering liboqs branch and the provider "-tracker" branch are used. +# When triggered by a release (see release.yml), the liboqs release tag and the provider "-tracker" branch are used. +# When triggered by a commit message (see filter.yml), the triggering liboqs branch and the provider "-tracker" branch are used. # If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead. -on: - push: - workflow_dispatch: - release: - types: [ published ] - jobs: oqs-provider-release-test: - if: github.event_name == 'release' || contains( github.event.head_commit.message, '[trigger downstream]' ) runs-on: ubuntu-latest steps: - name: Checkout release tests script diff --git a/.github/workflows/extended.yml b/.github/workflows/extended.yml new file mode 100644 index 000000000..878ad3ae0 --- /dev/null +++ b/.github/workflows/extended.yml @@ -0,0 +1,80 @@ +name: Extended tests + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +env: + # Semi-colon separated list of algorithims with libjade implementations to + # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + # See CONFIGURE.md under ## OQS_MINIMAL_BUILD + LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" + +jobs: + + constant-time-x64: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - name: generic + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON + PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' + - name: extensions + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON + PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' + container: + image: ${{ matrix.container }} + steps: + - name: Checkout code + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2 + - name: Configure + run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + timeout-minutes: 360 + run: mkdir -p tmp && SKIP_ALGS='${{ matrix.SKIP_ALGS }}' python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} + + nistkat-x64: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - name: generic + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: generic-libjade + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: extensions + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: extensions-libjade + container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + container: + image: ${{ matrix.container }} + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + timeout-minutes: 360 + run: mkdir -p tmp && python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} diff --git a/.github/workflows/unix.yml b/.github/workflows/linux.yml similarity index 72% rename from .github/workflows/unix.yml rename to .github/workflows/linux.yml index 0f5b5dbe4..5107c4a1f 100644 --- a/.github/workflows/unix.yml +++ b/.github/workflows/linux.yml @@ -1,9 +1,9 @@ -name: Linux and MacOS tests +name: Linux tests permissions: contents: read -on: [ push, pull_request , workflow_dispatch] +on: [workflow_call, workflow_dispatch] env: # Semi-colon separated list of algorithims with libjade implementations to @@ -13,91 +13,7 @@ env: jobs: - stylecheck: - name: Check code formatting - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Ensure code conventions are upheld - run: python3 -m pytest --verbose tests/test_code_conventions.py - - name: Check that doxygen can parse the documentation - run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build - - name: Validate CBOM - run: scripts/validate_cbom.sh - - upstreamcheck: - name: Check upstream code is properly integrated - strategy: - fail-fast: false - matrix: - copy-mode: - - copy - - libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - runs-on: ubuntu-latest - steps: - - name: Setup nix - uses: cachix/install-nix-action@v26 - - name: Setup jasmin-compiler - run: | - nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs && \ - nix-channel --update && nix-env -iA nixpkgs.jasmin-compiler - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Verify copy_from_upstream state after "${{ matrix.copy-mode}}" - run: | - git config --global user.name "ciuser" && \ - git config --global user.email "ci@openquantumsafe.org" && \ - export LIBOQS_DIR=`pwd` && \ - git config --global --add safe.directory $LIBOQS_DIR && \ - cd scripts/copy_from_upstream && \ - ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep ERROR && \ - python3 copy_from_upstream.py ${{ matrix.copy-mode }} && \ - ! git status | grep modified - - buildcheck: - name: Check that code passes a basic build before starting heavier tests - needs: [ stylecheck, upstreamcheck ] - strategy: - matrix: - include: - - runner: oqs-arm64 - container: openquantumsafe/ci-ubuntu-focal-arm64:latest - - runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - - runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-latest:latest - runs-on: ${{ matrix.runner }} - container: ${{ matrix.container }} - env: - KEM_NAME: kyber_768 - SIG_NAME: dilithium_3 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: | - mkdir build && \ - cd build && \ - cmake .. --warn-uninitialized \ - -GNinja \ - -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ - > config.log 2>&1 && \ - cat config.log && \ - cmake -LA -N .. && \ - ! (grep "uninitialized variable" config.log) - - name: Build code - run: ninja - working-directory: build - - name: Build documentation - run: ninja gen_docs - working-directory: build - if: matrix.runner == 'ubuntu-latest' - linux: - needs: buildcheck strategy: fail-fast: false matrix: @@ -227,7 +143,6 @@ jobs: working-directory: build linux_arm_emulated: - needs: buildcheck runs-on: ubuntu-latest strategy: fail-fast: false @@ -275,7 +190,6 @@ jobs: --ignore=tests/test_code_conventions.py ${{ matrix.PYTEST_ARGS }}" linux_cross_compile: - needs: buildcheck runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest strategy: @@ -295,56 +209,7 @@ jobs: run: ninja working-directory: build - macos: - needs: buildcheck - strategy: - fail-fast: false - matrix: - os: - # macos-14 runs on aarch64; the others run on x64 - - macos-12 - - macos-13 - - macos-14 - CMAKE_ARGS: - - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON - - -DCMAKE_C_COMPILER=gcc-13 - - -DOQS_USE_OPENSSL=OFF - - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF - libjade-build: - - -DOQS_LIBJADE_BUILD=OFF - # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by - # libjade to minimise repeated tests - - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - exclude: - # macos-14 runs on aarch64, libjade targets x86 - # Skip testing libjade on macos-14 - - os: macos-14 - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - runs-on: ${{ matrix.os }} - steps: - - name: Install Python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 - with: - python-version: '3.12' - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Install dependencies - run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt - - name: Patch GCC - run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb - - name: Get system information - run: sysctl -a | grep machdep.cpu - - name: Configure - run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} ${{ matrix.libjade-build }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py - timeout-minutes: 60 - linux_openssl330-dev: - needs: buildcheck runs-on: ubuntu-latest container: image: openquantumsafe/ci-ubuntu-jammy:latest @@ -391,7 +256,6 @@ jobs: run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py scan_build: - needs: buildcheck runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest steps: diff --git a/.github/workflows/platforms.yml b/.github/workflows/platforms.yml new file mode 100644 index 000000000..a26b29cee --- /dev/null +++ b/.github/workflows/platforms.yml @@ -0,0 +1,26 @@ +name: Tests for all supported platforms + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + android-tests: + uses: ./.github/workflows/android.yml + + ios-tests: + uses: ./.github/workflows/apple.yml + + linux-tests: + uses: ./.github/workflows/linux.yml + + macos-tests: + uses: ./.github/workflows/macos.yml + + windows-tests: + uses: ./.github/workflows/windows.yml + + zephyr-tests: + uses: ./.github/workflows/zephyr.yml diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml deleted file mode 100644 index d2f44ddd4..000000000 --- a/.github/workflows/pr-tests.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Pull request tests - -permissions: - contents: read - -on: [push, pull_request, workflow_dispatch] - -jobs: - basic-checks: - uses: ./.github/workflows/basic.yml - android-tests: - needs: basic-checks - uses: ./.github/workflows/android.yml - ios-tests: - needs: basic-checks - uses: ./.github/workflows/apple.yml - macos-tests: - needs: basic-checks - uses: ./.github/workflows/macos.yml - windows-tests: - needs: basic-checks - uses: ./.github/workflows/windows.yml - zephyr-tests: - needs: basic-checks - uses: ./.github/workflows/zephyr.yml - scorecard: - needs: basic-checks - uses: ./.github/workflows/scorecard.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 000000000..f0b8b7664 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,19 @@ +name: Pull request tests + +permissions: + contents: read + +on: pull_request + +jobs: + + basic-checks: + uses: ./.github/workflows/basic.yml + + platform-tests: + needs: basic-checks + uses: ./.github/workflows/platforms.yml + + scorecard: + needs: basic-checks + uses: ./.github/workflows/scorecard.yml diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 000000000..910b10e23 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,28 @@ +name: Push tests + +permissions: + contents: read + +on: + push: + branches-ignore: 'main' + +jobs: + + basic-checks: + uses: ./.github/workflows/basic.yml + + pr-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[full tests]' ) + uses: ./.github/workflows/platforms.yml + + extended-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[extended tests]' ) + uses: ./.github/workflows/extended.yml + + downstream-release-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[trigger downstream]' ) + uses: ./.github/workflows/downstream-release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..cd371b12e --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,16 @@ +name: Release tests + +permissions: + contents: read + +on: + release: + types: [ published ] + +jobs: + + extended-tests: + uses: ./.github/workflows/extended.yml + + downstream-release-tests: + uses: ./.github/workflows/downstream-release.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f404c615e..f3e5f06ec 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,12 +6,6 @@ on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '29 9 * * 4' - push: - branches: [ "main" ] workflow_call: workflow_dispatch: diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 8f66afced..c1c3c3a98 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -1,4 +1,4 @@ -name: Weekly extended tests +name: Weekly tests permissions: contents: read @@ -6,77 +6,13 @@ permissions: on: schedule: - cron: "5 0 * * 0" - workflow_dispatch: - -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" jobs: - constant-time-x64: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - include: - - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON - PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' - - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON - PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' - container: - image: ${{ matrix.container }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - timeout-minutes: 360 - run: mkdir -p tmp && SKIP_ALGS='${{ matrix.SKIP_ALGS }}' python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} - nistkat-x64: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - include: - - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: generic-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: extensions-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - container: - image: ${{ matrix.container }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - timeout-minutes: 360 - run: mkdir -p tmp && python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + scorecard: + uses: ./.github/workflows/scorecard.yml + + extended-tests: + uses: ./.github/workflows/extended.yml diff --git a/CI.md b/CI.md new file mode 100644 index 000000000..90012d78c --- /dev/null +++ b/CI.md @@ -0,0 +1,101 @@ +# Continuous Integration (CI) + +This document aims to provide a accessible yet comprehensive overview of the liboqs CI setup. + +## GitHub Actions + +liboqs relies on GitHub Actions for almost all of its CI and makes extensive use of [reusable workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows). +All workflow files are located in the `.github/workflows` subdirectory. + +### Caller workflows + +These workflows are triggered by GitHub events (for example, a pull request or a release). +They implement the logic dictating which tests should run on which events. + +#### `push.yml` + +This workflow is triggered by pushes to non-`main` branches. +It calls only [basic checks](#basic.yml) unless one of the following strings is included in the commit message: +- "[full tests]": calls the [platform tests](#platform.yml). +- "[extended tests]": calls the [extended tests](#extended.yml). +- "[trigger downstream]": calls the [downstream release tests](#downstream-release.yml). + +To trigger multiple test suites, include multiple trigger strings in the commit message. +For example, "[full tests] [trigger downstream]" will trigger both the platform tests and the downstream release tests. + +#### `pr.yml` + +This workflow runs on pull requests. +It calls [basic checks](#basic.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml). + +#### `commit-to-main.yml` + +This workflow runs on pushes to the `main` branch (typically done automatically when a pull request is merged). +It calls [platform tests](#platforms.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml). + +#### `weekly.yml` + +This workflow is triggered by a weekly schedule. +It calls [extended tests](#extended.yml) and [scorecard analysis](#scorecard.yml). + +#### `release.yml` + +This workflow is triggered when a release (including a pre-release) is published on GitHub. +It calls [extended tests](#extended) and [downstream release tests](#downstream-release.yml). + +### Callable workflows + +These workflows are not triggered directly by any GitHub event. +They are instead called by one of the [caller workflows](#caller-workflows). +Users with "write" permissions can also trigger them manually via the GitHub web UI or REST API. + +#### `basic.yml` + +This workflow runs a minimal set of tests that should pass before heavier tests are triggered. + +#### `.yml` + +These workflows contain tests for the individual [platforms supported by liboqs](PLATFORMS.md). +Currently, these include +- `android.yml`, +- `apple.yml`, +- `macos.yml`, +- `linux.yml`, +- `windows.yml`, and +- `zephyr.yml`. + +All of these these are wrapped by [`platforms.yml`](#platforms.yml). + +#### `platforms.yml` + +This workflow calls all of the [platform-specific tests](#.yml). + +#### `extended.yml` + +This workflow calls tests which are either resource intensive or rarely need to be triggered. +Currently, this includes constant-time testing with valgrind and the full suite of NIST Known Answer Tests. + +#### `downstream-basic.yml` + +This workflow triggers basic CI for a selection of projects that depend on `liboqs`. +Currently, these include +- [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider) +- [`OQS-BoringSSL`](https://github.com/open-quantum-safe/boringssl) +- [`OQS-OpenSSH`](https://github.com/open-quantum-safe/openssh) +- [`OQS Demos`](https://github.com/open-quantum-safe/oqs-demos) +- [`liboqs-cpp`](https://github.com/open-quantum-safe/liboqs-cpp) +- [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go) +- [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python) + +#### `downstream-release.yml` + +This workflow triggers release tests for a selection of projects that depend on `liboqs`. Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider). + +#### `scorecard.yml` + +This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. It is additionally triggered automatically when branch protection rules are changed. + +## Travis CI + +In the past, we used Travis CI to test on [some IBM platforms](PLATFORMS.md#tier-3-1) that are not supported by GitHub Actions. +Our Travis builds are currently disabled pending resolution of [issue #1888](https://github.com/open-quantum-safe/liboqs/issues/1888). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c37061702..962b56a21 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,6 +46,8 @@ github CI jobs. When executed in the main `oqsprovider` directory, When installing `act` as a github extension, prefix the commands with `gh `. +For more details on our CI setup, please see [CI.md](CI.md). + ### New features Any PR introducing a new feature is expected to contain a test of this feature From bcbb5082606a6a50dbe8069ca735a10045e2659e Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 16:43:48 -0400 Subject: [PATCH 13/41] Test out full tests trigger [full tests] Signed-off-by: Spencer Wilson --- .github/workflows/push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 910b10e23..10d7c1ac0 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -12,7 +12,7 @@ jobs: basic-checks: uses: ./.github/workflows/basic.yml - pr-tests: + full-tests: needs: basic-checks if: contains( github.event.head_commit.message, '[full tests]' ) uses: ./.github/workflows/platforms.yml From c2f84c2cab5e7cf642001dbd29fbc09c5760b4c8 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 16:50:14 -0400 Subject: [PATCH 14/41] Add @SWilson4 as a CODEOWNER for .github/workflows [skip ci] Signed-off-by: Spencer Wilson --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0530ff1c1..737aea16c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,7 @@ # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners * @dstebila -/.circleci @baentsch +/.github/workflows @SWilson4 /scripts/copy_from_upstream @baentsch @bhess @alexrow /src/common @dstebila /src/kem/bike @crockeea From 93bc112d4200d599239d049d1628e3d396beff73 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 27 Aug 2024 16:59:15 -0400 Subject: [PATCH 15/41] Empty commit to re-trigger CI for demonstration purposes Signed-off-by: Spencer Wilson From a9ad9acecf5ed27acd810db627e375324d616967 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 09:48:28 -0400 Subject: [PATCH 16/41] Store LIBJADE_ALG_LIST in github repo variable Signed-off-by: Spencer Wilson --- .github/workflows/extended.yml | 10 ++-------- .github/workflows/linux.yml | 16 +++++----------- .github/workflows/macos.yml | 12 +++--------- scripts/copy_from_upstream/copy_from_libjade.yml | 6 +++--- 4 files changed, 13 insertions(+), 31 deletions(-) diff --git a/.github/workflows/extended.yml b/.github/workflows/extended.yml index 878ad3ae0..316d104e6 100644 --- a/.github/workflows/extended.yml +++ b/.github/workflows/extended.yml @@ -5,12 +5,6 @@ permissions: on: [workflow_call, workflow_dispatch] -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" - jobs: constant-time-x64: @@ -55,7 +49,7 @@ jobs: PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: generic-libjade container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: extensions container: openquantumsafe/ci-ubuntu-focal-x86_64:latest @@ -63,7 +57,7 @@ jobs: PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: extensions-libjade container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST}}" PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' container: image: ${{ matrix.container }} diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 5107c4a1f..719efa642 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -5,12 +5,6 @@ permissions: on: [workflow_call, workflow_dispatch] -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" - jobs: linux: @@ -31,7 +25,7 @@ jobs: - name: alpine runner: ubuntu-latest container: openquantumsafe/ci-alpine-amd64:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - name: alpine-no-stfl-key-sig-gen runner: ubuntu-latest @@ -66,7 +60,7 @@ jobs: - name: focal-noopenssl runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: focal-shared-noopenssl runner: ubuntu-latest @@ -86,7 +80,7 @@ jobs: - name: jammy-std-openssl3-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-std-openssl3-dlopen runner: ubuntu-latest @@ -96,7 +90,7 @@ jobs: - name: jammy-std-openssl3-dlopen-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: address-sanitizer runner: ubuntu-latest @@ -111,7 +105,7 @@ jobs: - name: address-sanitizer-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 runs-on: ${{ matrix.runner }} container: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 75c1bb488..859398119 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -5,12 +5,6 @@ permissions: on: [workflow_call, workflow_dispatch] -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" - jobs: macos: @@ -31,14 +25,14 @@ jobs: - -DOQS_LIBJADE_BUILD=OFF # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by # libjade to minimise repeated tests - - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} exclude: # macos-14 runs on aarch64, libjade targets x86 # Skip testing libjade on macos-14 - os: macos-14 - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} # No point in testing stateful sigs with minimal libjade build - - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON runs-on: ${{ matrix.os }} steps: diff --git a/scripts/copy_from_upstream/copy_from_libjade.yml b/scripts/copy_from_upstream/copy_from_libjade.yml index 620949c39..db2f19c4b 100644 --- a/scripts/copy_from_upstream/copy_from_libjade.yml +++ b/scripts/copy_from_upstream/copy_from_libjade.yml @@ -1,8 +1,8 @@ # When adding an algorithm to copy_from_libjade.yml, the boolean # 'libjade_implementation' and list of implementation 'libjade_implementations' # must updated for the relevant algorithm in copy_from_upstream.yml -# Additionaly, the algorithm name must be appended to env.LIBJADE_ALG_LIST -# in the unix.yml and weekly.yml GitHub Actions workflows +# Additionaly, the algorithm name must be appended to the GitHub repository +# environment variable LIBJADE_ALG_LIST. jasmin_version: '2023.06.3' upstreams: - @@ -27,4 +27,4 @@ kems: scheme: "768" pqclean_scheme: kyber768 pretty_name_full: Kyber768 -sigs: [] \ No newline at end of file +sigs: [] From 912be88a529e3a7a858c15a500753e16fd0906b2 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 10:17:00 -0400 Subject: [PATCH 17/41] Descriptive headers in CI.md Signed-off-by: Spencer Wilson --- CI.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/CI.md b/CI.md index 90012d78c..58387fe54 100644 --- a/CI.md +++ b/CI.md @@ -12,33 +12,33 @@ All workflow files are located in the `.github/workflows` subdirectory. These workflows are triggered by GitHub events (for example, a pull request or a release). They implement the logic dictating which tests should run on which events. -#### `push.yml` +#### Push workflow (`push.yml`) This workflow is triggered by pushes to non-`main` branches. It calls only [basic checks](#basic.yml) unless one of the following strings is included in the commit message: -- "[full tests]": calls the [platform tests](#platform.yml). +- "[full tests]": calls [all platform tests](#platforms.yml). - "[extended tests]": calls the [extended tests](#extended.yml). - "[trigger downstream]": calls the [downstream release tests](#downstream-release.yml). To trigger multiple test suites, include multiple trigger strings in the commit message. For example, "[full tests] [trigger downstream]" will trigger both the platform tests and the downstream release tests. -#### `pr.yml` +#### Pull request workflow (`pr.yml`) This workflow runs on pull requests. It calls [basic checks](#basic.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml). -#### `commit-to-main.yml` +#### Commit-to-main workflow (`commit-to-main.yml`) This workflow runs on pushes to the `main` branch (typically done automatically when a pull request is merged). It calls [platform tests](#platforms.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml). -#### `weekly.yml` +#### Weekly workflow (`weekly.yml`) This workflow is triggered by a weekly schedule. It calls [extended tests](#extended.yml) and [scorecard analysis](#scorecard.yml). -#### `release.yml` +#### Release workflow (`release.yml`) This workflow is triggered when a release (including a pre-release) is published on GitHub. It calls [extended tests](#extended) and [downstream release tests](#downstream-release.yml). @@ -49,11 +49,11 @@ These workflows are not triggered directly by any GitHub event. They are instead called by one of the [caller workflows](#caller-workflows). Users with "write" permissions can also trigger them manually via the GitHub web UI or REST API. -#### `basic.yml` +#### Basic checks (`basic.yml`) This workflow runs a minimal set of tests that should pass before heavier tests are triggered. -#### `.yml` +#### Individual platform tests (`.yml`) These workflows contain tests for the individual [platforms supported by liboqs](PLATFORMS.md). Currently, these include @@ -66,16 +66,16 @@ Currently, these include All of these these are wrapped by [`platforms.yml`](#platforms.yml). -#### `platforms.yml` +#### All platform tests (`platforms.yml`) This workflow calls all of the [platform-specific tests](#.yml). -#### `extended.yml` +#### Extended tests (`extended.yml`) This workflow calls tests which are either resource intensive or rarely need to be triggered. Currently, this includes constant-time testing with valgrind and the full suite of NIST Known Answer Tests. -#### `downstream-basic.yml` +#### Basic downstream trigger (`downstream-basic.yml`) This workflow triggers basic CI for a selection of projects that depend on `liboqs`. Currently, these include @@ -87,11 +87,11 @@ Currently, these include - [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go) - [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python) -#### `downstream-release.yml` +#### Downstream release trigger (`downstream-release.yml`) This workflow triggers release tests for a selection of projects that depend on `liboqs`. Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider). -#### `scorecard.yml` +#### OpenSSF scorecard analysis (`scorecard.yml`) This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. It is additionally triggered automatically when branch protection rules are changed. From fe8d28f9b28901bec22ce6dc02359768791ae3bf Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 10:34:32 -0400 Subject: [PATCH 18/41] Expand in CONTRIBUTING.md [full tests] Signed-off-by: Spencer Wilson --- CONTRIBUTING.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 962b56a21..b87108e37 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -34,19 +34,27 @@ LIBOQS_DIR= ./scripts/format_code.sh ``` This script has been tested on x86\_64 Ubuntu and arm64 macOS. Contributions for other platforms are welcome and appreciated! -### Running CI locally +### Continuous Integration (CI) -#### Github CI +`liboqs` uses GitHub Actions for CI. +For a comprehensive overview of our CI setup, see [CI.md](CI.md). + +#### Running CI on your branch + +OQS attempts to be responsible with resource usage and only runs a minimal set of tests automatically on push. +A more thorough test suite runs automatically on pull requests. +To trigger these tests before creating a PR, include the string "[full tests]" in a commit message. +Other trigger strings are documented in [CI.md](CI.md#push.yml). + +#### Running CI locally [Act](https://github.com/nektos/act) is a tool facilitating local execution of -github CI jobs. When executed in the main `oqsprovider` directory, +GitHub CI jobs. When executed in the main `liboqs` directory, - act -l Displays all github CI jobs + act -l Displays all GitHub CI jobs act -j some-job Executes "some-job" -When installing `act` as a github extension, prefix the commands with `gh `. - -For more details on our CI setup, please see [CI.md](CI.md). +When installing `act` as a GitHub extension, prefix the commands with `gh `. ### New features From b44b9698d8d63ee3dffdad783e0cb8e52e4d2cea Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 10:44:34 -0400 Subject: [PATCH 19/41] Fix variable quoting [full tests] Signed-off-by: Spencer Wilson --- .github/workflows/linux.yml | 10 +++++----- .github/workflows/macos.yml | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 719efa642..e5fd3298c 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -25,7 +25,7 @@ jobs: - name: alpine runner: ubuntu-latest container: openquantumsafe/ci-alpine-amd64:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - name: alpine-no-stfl-key-sig-gen runner: ubuntu-latest @@ -60,7 +60,7 @@ jobs: - name: focal-noopenssl runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: focal-shared-noopenssl runner: ubuntu-latest @@ -80,7 +80,7 @@ jobs: - name: jammy-std-openssl3-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-std-openssl3-dlopen runner: ubuntu-latest @@ -90,7 +90,7 @@ jobs: - name: jammy-std-openssl3-dlopen-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: address-sanitizer runner: ubuntu-latest @@ -105,7 +105,7 @@ jobs: - name: address-sanitizer-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 runs-on: ${{ matrix.runner }} container: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 859398119..5cc2949b2 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -25,14 +25,14 @@ jobs: - -DOQS_LIBJADE_BUILD=OFF # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by # libjade to minimise repeated tests - - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" exclude: # macos-14 runs on aarch64, libjade targets x86 # Skip testing libjade on macos-14 - os: macos-14 - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" # No point in testing stateful sigs with minimal libjade build - - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=${{ vars.LIBJADE_ALG_LIST }} + - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON runs-on: ${{ matrix.os }} steps: From bd158a30155cc07a56df226d7504582346e5eba1 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 11:06:24 -0400 Subject: [PATCH 20/41] Use concurrency groups to automatically cancel workflows on double-push Signed-off-by: Spencer Wilson --- .github/workflows/pr.yml | 4 ++++ .github/workflows/push.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f0b8b7664..30053e068 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,6 +5,10 @@ permissions: on: pull_request +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: basic-checks: diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 10d7c1ac0..3d0669954 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -7,6 +7,10 @@ on: push: branches-ignore: 'main' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: basic-checks: From f6ef87fe8f04157a9b414100941f37e9cb8a72a6 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 11:06:58 -0400 Subject: [PATCH 21/41] Test concurrency group feature [full tests] Signed-off-by: Spencer Wilson From 8a0db550176e6a4b31e43b7d361f3e82815a94af Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 28 Aug 2024 19:55:34 -0400 Subject: [PATCH 22/41] Use latest CI image for basic checks Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index c67af1dd4..96c9a32fb 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -10,7 +10,7 @@ jobs: stylecheck: name: Check code formatting runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -24,14 +24,8 @@ jobs: upstreamcheck: name: Check upstream code is properly integrated runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest steps: - - name: Setup nix - uses: cachix/install-nix-action@v26 - - name: Setup jasmin-compiler - run: | - nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs && \ - nix-channel --update && nix-env -iA nixpkgs.jasmin-compiler - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Configure @@ -39,9 +33,7 @@ jobs: git config --global user.name "ciuser" && \ git config --global user.email "ci@openquantumsafe.org" && \ git config --global --add safe.directory . && \ - echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" && \ - cd scripts/copy_from_upstream && \ - ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep -i ERROR + echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" - name: Verify copy_from_upstream state after copy working-directory: 'scripts/copy_from_upstream' run: | @@ -57,7 +49,7 @@ jobs: name: Check that code passes a basic build needs: [ stylecheck, upstreamcheck ] runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest env: KEM_NAME: ml_kem_768 SIG_NAME: ml_dsa_65 From c898c3ab57d2ef08333a0d0c5283b13a797047ce Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 29 Aug 2024 11:19:35 -0400 Subject: [PATCH 23/41] Add safe directory with absolute path Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 96c9a32fb..7411f876e 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -32,7 +32,7 @@ jobs: run: | git config --global user.name "ciuser" && \ git config --global user.email "ci@openquantumsafe.org" && \ - git config --global --add safe.directory . && \ + git config --global --add safe.directory "$PWD" && \ echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" - name: Verify copy_from_upstream state after copy working-directory: 'scripts/copy_from_upstream' From c59823d48547b6d080e43a23e0be4d3ea059ae14 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 29 Aug 2024 11:25:27 -0400 Subject: [PATCH 24/41] Fix syntax in update_docs_from_yaml.py Signed-off-by: Spencer Wilson --- scripts/update_docs_from_yaml.py | 42 ++++++++++++++++---------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/scripts/update_docs_from_yaml.py b/scripts/update_docs_from_yaml.py index 2535d0ffa..2c642332a 100644 --- a/scripts/update_docs_from_yaml.py +++ b/scripts/update_docs_from_yaml.py @@ -89,7 +89,7 @@ def do_it(liboqs_root): out_md.write('\n') for index, parameter_set in enumerate(kem_yaml['parameter-sets']): - out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\_"))) + out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\\_"))) table_header = ['Implementation source', 'Identifier in upstream', 'Supported architecture(s)', @@ -108,7 +108,7 @@ def do_it(liboqs_root): # if all platforms are supported, assuming not optimized and is primary upstream if impl['supported-platforms'] == 'all': table.append(['[Primary Source](#primary-source)', - impl['upstream-id'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), 'All', 'All', 'None', @@ -132,8 +132,8 @@ def do_it(liboqs_root): anchor = impl['upstream'] upstream_name = '[{}](#{})'.format(name, anchor) table.append([upstream_name, - impl['upstream-id'].replace('_', '\_'), - platform['architecture'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), + platform['architecture'].replace('_', '\\_'), op_systems, flags, impl['no-secret-dependent-branching-claimed'], @@ -202,7 +202,7 @@ def do_it(liboqs_root): 'Secret key size (bytes)', 'Signature size (bytes)']] for parameter_set in sig_yaml['parameter-sets']: - table.append([parameter_set['name'].replace('_', '\_'), + table.append([parameter_set['name'].replace('_', '\\_'), parameter_set['alias'] if 'alias' in parameter_set else "NA", parameter_set['claimed-security'], parameter_set['claimed-nist-level'], @@ -213,7 +213,7 @@ def do_it(liboqs_root): out_md.write('\n') for index, parameter_set in enumerate(sig_yaml['parameter-sets']): - out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\_"))) + out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\\_"))) table_header = ['Implementation source', 'Identifier in upstream', 'Supported architecture(s)', @@ -232,7 +232,7 @@ def do_it(liboqs_root): # if all platforms are supported, assuming not optimized and is primary upstream if impl['supported-platforms'] == 'all': table.append(['[Primary Source](#primary-source)', - impl['upstream-id'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), 'All', 'All', 'None', @@ -256,8 +256,8 @@ def do_it(liboqs_root): anchor = impl['upstream'] upstream_name = '[{}](#{})'.format(name, anchor) table.append([upstream_name, - impl['upstream-id'].replace('_', '\_'), - platform['architecture'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), + platform['architecture'].replace('_', '\\_'), op_systems, flags, impl['no-secret-dependent-branching-claimed'], @@ -396,36 +396,36 @@ def do_it(liboqs_root): for sig_yaml in sig_yamls[:-1]: # SPHINCS is last in this sorted list and requires special handling. parameter_sets = sig_yaml['parameter-sets'] if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']): - readme.write('- **{}**: {}†'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **{}**: {}†'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\\_'))) if 'alias' in parameter_sets[0]: - readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\\_')) else: - readme.write('- **{}**: {}'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **{}**: {}'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\\_'))) if 'alias' in parameter_sets[0]: - readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\\_')) for parameter_set in parameter_sets[1:]: if any(impl['large-stack-usage'] for impl in parameter_set['implementations']): - readme.write(', {}†'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_'))) if 'alias' in parameter_set: - readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\\_')) else: - readme.write(', {}'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_'))) if 'alias' in parameter_set: - readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\\_')) readme.write('\n') sphincs_yml = sig_yamls[-1] for hash_func in ['SHA2', 'SHAKE']: parameter_sets = [pset for pset in sphincs_yml['parameter-sets'] if hash_func in pset['name']] if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']): - readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_'))) else: - readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_'))) for parameter_set in parameter_sets[1:]: if any(impl['large-stack-usage'] for impl in parameter_set['implementations']): - readme.write(', {}†'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_'))) else: - readme.write(', {}'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_'))) readme.write('\n') readme.write(postamble) From 5ed008bef27a5b87f253aa1eec34773178b9c937 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 29 Aug 2024 11:27:41 -0400 Subject: [PATCH 25/41] Run basic checks with strict warnings Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 7411f876e..3364ec77e 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -60,10 +60,10 @@ jobs: run: | mkdir build && \ cd build && \ - cmake .. --warn-uninitialized \ - -GNinja \ - -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ - > config.log 2>&1 && \ + cmake -GNinja -DOQS_STRICT_WARNINGS=ON \ + -GNinja \ + -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ + --warn-uninitialized .. > config.log 2>&1 && \ cat config.log && \ cmake -LA -N .. && \ ! (grep -i "uninitialized variable" config.log) From 505649dd548f125703879f95738e8ca533c0f61b Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 09:57:56 -0400 Subject: [PATCH 26/41] Move all Focal jobs to Noble Signed-off-by: Spencer Wilson --- .github/workflows/linux.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index e5fd3298c..6b2664df5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -14,7 +14,7 @@ jobs: include: - name: arm64 runner: oqs-arm64 - container: openquantumsafe/ci-ubuntu-focal-arm64:latest + container: openquantumsafe/ci-ubuntu-latest:latest PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON - name: alpine @@ -22,7 +22,7 @@ jobs: container: openquantumsafe/ci-alpine-amd64:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - - name: alpine + - name: alpine-libjade runner: ubuntu-latest container: openquantumsafe/ci-alpine-amd64:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" @@ -42,29 +42,29 @@ jobs: container: openquantumsafe/ci-alpine-amd64:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - - name: focal-nistr4-openssl + - name: noble-nistr4-openssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_R4 PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-nistonramp-openssl + - name: noble-nistonramp-openssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_SIG_ONRAMP PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-noopenssl + - name: noble-noopenssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-noopenssl + - name: noble-noopenssl-libjade runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-shared-noopenssl + - name: noble-shared-noopenssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-clang @@ -94,17 +94,17 @@ jobs: PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: address-sanitizer runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-no-stfl-key-sig-gen runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-libjade runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 runs-on: ${{ matrix.runner }} @@ -185,7 +185,7 @@ jobs: linux_cross_compile: runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest strategy: fail-fast: false matrix: @@ -251,7 +251,7 @@ jobs: scan_build: runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest steps: - name: Checkout code uses: actions/checkout@v4 From da1076c2478ff01179076dfb37de1dc36791485c Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 10:01:35 -0400 Subject: [PATCH 27/41] Update image in extended tests and formatting script Signed-off-by: Spencer Wilson --- .github/workflows/extended.yml | 12 ++++++------ scripts/format_code.sh | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/extended.yml b/.github/workflows/extended.yml index 316d104e6..2f9c2753d 100644 --- a/.github/workflows/extended.yml +++ b/.github/workflows/extended.yml @@ -14,12 +14,12 @@ jobs: matrix: include: - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' @@ -44,19 +44,19 @@ jobs: matrix: include: - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: generic-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - name: extensions-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST}}" PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' container: diff --git a/scripts/format_code.sh b/scripts/format_code.sh index e8b617b83..a2b5f4ef1 100755 --- a/scripts/format_code.sh +++ b/scripts/format_code.sh @@ -19,4 +19,4 @@ then exit 1 fi -docker run --rm -v"$LIBOQS_DIR":/root/liboqs -w /root/liboqs openquantumsafe/ci-ubuntu-focal-$arch:latest ./tests/run_astyle.sh --no-dry-run +docker run --rm -v"$LIBOQS_DIR":/root/liboqs -w /root/liboqs openquantumsafe/ci-ubuntu-latest:latest ./tests/run_astyle.sh --no-dry-run From e34813bca3a11d45922aaf9ca359205c00c0118e Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 10:01:51 -0400 Subject: [PATCH 28/41] Update PLATFORMS.md [full tests] Signed-off-by: Spencer Wilson --- PLATFORMS.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/PLATFORMS.md b/PLATFORMS.md index e2220229a..d33efa272 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -44,9 +44,9 @@ In this policy, the words "must" and "must not" specify absolute requirements th ### Tier 1 -- x86_64/amd64/x64 for Ubuntu Linux (Focal)† +- x86_64/amd64/x64 for Ubuntu Linux (Noble)† - x86_64/amd64/x64 for MacOS (XCode 14 and 15) -- aarch64 for Ubuntu (Focal) +- aarch64 for Ubuntu (Noble) - aarch64 for MacOS (XCode 15) - armhf/ARM7 and aarch64 emulation on Ubuntu @@ -60,5 +60,3 @@ In this policy, the words "must" and "must not" specify absolute requirements th ### Tier 3 - x86 for Windows (Visual Studio Toolchain) -- ppc64le for Ubuntu (Focal) -- s390x for Ubuntu (Focal) From d8d511e89c550bb0ec0d114aefab628786c03bd8 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 10:48:49 -0400 Subject: [PATCH 29/41] Update old compiler version Signed-off-by: Spencer Wilson --- .github/workflows/linux.yml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 6b2664df5..69c7c3437 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -55,23 +55,28 @@ jobs: - name: noble-noopenssl runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF + CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: noble-noopenssl-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: noble-shared-noopenssl runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-clang runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang PYTEST_ARGS: --ignore=tests/test_kat_all.py + - name: noble-clang + runner: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang + PYTEST_ARGS: --ignore=tests/test_kat_all.py - name: jammy-std-openssl3 runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest @@ -95,17 +100,17 @@ jobs: - name: address-sanitizer runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-no-stfl-key-sig-gen runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 runs-on: ${{ matrix.runner }} container: @@ -256,7 +261,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Configure - run: mkdir build && cd build && scan-build-15 cmake -GNinja .. + run: mkdir build && cd build && scan-build cmake -GNinja .. - name: Build - run: scan-build-15 --status-bugs ninja + run: scan-build --status-bugs ninja working-directory: build From 9fc90d1a4ba25a27dcdc56a1fdab36d5b20f8306 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 10:49:07 -0400 Subject: [PATCH 30/41] Fix scan-build error Signed-off-by: Spencer Wilson --- tests/test_sig_stfl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test_sig_stfl.c b/tests/test_sig_stfl.c index 70686fbee..9867dbf60 100644 --- a/tests/test_sig_stfl.c +++ b/tests/test_sig_stfl.c @@ -243,7 +243,9 @@ OQS_STATUS sig_stfl_keypair_from_KATs(OQS_SIG_STFL *sig, uint8_t *public_key, OQ ret = OQS_ERROR; cleanup: - fclose(fp_rsp); + if (fp_rsp) { + fclose(fp_rsp); + } return ret; } From d353e4cc796798194a2ce6dbcad993155e772a0f Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 11:03:14 -0400 Subject: [PATCH 31/41] Add --status-bugs flag to scan-build cmake [full tests] Signed-off-by: Spencer Wilson --- .github/workflows/linux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 69c7c3437..1246bbed4 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -261,7 +261,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Configure - run: mkdir build && cd build && scan-build cmake -GNinja .. + run: mkdir build && cd build && scan-build --status-bugs cmake -GNinja .. - name: Build run: scan-build --status-bugs ninja working-directory: build From 5dce311586fd3854b34fb1be13c4b9803187089e Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 11:43:36 -0400 Subject: [PATCH 32/41] Don't test Dilithium/ML-DSA for leaks on clang [full tests] Signed-off-by: Spencer Wilson --- .github/workflows/linux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 1246bbed4..f41d1b718 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -76,7 +76,7 @@ jobs: runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang - PYTEST_ARGS: --ignore=tests/test_kat_all.py + PYTEST_ARGS: --ignore=tests/test_kat_all.py -k 'not (leaks and (Dilithium or ML-DSA))' - name: jammy-std-openssl3 runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest From e1d619558b2c927e718e911259b629c102cc7618 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 12:56:00 -0400 Subject: [PATCH 33/41] Test all triggers [full test] [extended test] [trigger downstream] Signed-off-by: Spencer Wilson From 2628e77e52db9143ec4a35a5bc9464b9de12fc9f Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 30 Aug 2024 13:11:08 -0400 Subject: [PATCH 34/41] Inherit secrets from caller workflow [full tests] [extended tests] [trigger downstream] Signed-off-by: Spencer Wilson Signed-off-by: Spencer Wilson --- .github/workflows/commit-to-main.yml | 2 ++ .github/workflows/pr.yml | 1 + .github/workflows/push.yml | 1 + .github/workflows/release.yml | 1 + .github/workflows/weekly.yml | 1 + CI.md | 10 ++++++++-- 6 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index ab381689f..1a1d05e4a 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -14,6 +14,8 @@ jobs: scorecard: uses: ./.github/workflows/scorecard.yml + secrets: inherit basic-downstream: uses: ./.github/workflows/downstream-basic.yml + secrets: inherit diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 30053e068..014677dbf 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -21,3 +21,4 @@ jobs: scorecard: needs: basic-checks uses: ./.github/workflows/scorecard.yml + secrets: inherit diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 3d0669954..df5b5eef6 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -30,3 +30,4 @@ jobs: needs: basic-checks if: contains( github.event.head_commit.message, '[trigger downstream]' ) uses: ./.github/workflows/downstream-release.yml + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd371b12e..23f74b16f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,3 +14,4 @@ jobs: downstream-release-tests: uses: ./.github/workflows/downstream-release.yml + secrets: inherit diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index c1c3c3a98..cc815ea36 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -13,6 +13,7 @@ jobs: # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained scorecard: uses: ./.github/workflows/scorecard.yml + secrets: inherit extended-tests: uses: ./.github/workflows/extended.yml diff --git a/CI.md b/CI.md index 58387fe54..95ad9c2cb 100644 --- a/CI.md +++ b/CI.md @@ -87,13 +87,19 @@ Currently, these include - [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go) - [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python) +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. + #### Downstream release trigger (`downstream-release.yml`) -This workflow triggers release tests for a selection of projects that depend on `liboqs`. Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider). +This workflow triggers release tests for a selection of projects that depend on `liboqs`. +Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider). +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. #### OpenSSF scorecard analysis (`scorecard.yml`) -This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. It is additionally triggered automatically when branch protection rules are changed. +This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. +It is additionally triggered automatically when branch protection rules are changed. +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. ## Travis CI From 7ba99008551879cfa03545fdce0c0366a426004c Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 3 Sep 2024 17:16:38 -0400 Subject: [PATCH 35/41] Update suppression files for Falcon and McEliece [extended tests] Signed-off-by: Spencer Wilson --- .../kem/issues/classic-mceliece-348864f | 6 +-- .../kem/issues/classic-mceliece-460896 | 24 ++++++++++++ .../kem/issues/classic-mceliece-460896f | 36 +++++++++++++++--- .../kem/issues/classic-mceliece-6688128f | 38 ++++--------------- .../kem/issues/classic-mceliece-6960119 | 2 +- .../kem/issues/classic-mceliece-6960119f | 28 +++----------- .../kem/issues/classic-mceliece-8192128f | 30 ++++----------- tests/constant_time/sig/issues/falcon | 10 ++++- 8 files changed, 87 insertions(+), 87 deletions(-) diff --git a/tests/constant_time/kem/issues/classic-mceliece-348864f b/tests/constant_time/kem/issues/classic-mceliece-348864f index 5c5c9e6bd..023304d5b 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-348864f +++ b/tests/constant_time/kem/issues/classic-mceliece-348864f @@ -153,15 +153,15 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE348864F_AVX2_pk_gen fun:PQCLEAN_MCELIECE348864F_AVX2_crypto_kem_keypair } { This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:444 + Memcheck:Value8 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE348864F_AVX2_pk_gen fun:PQCLEAN_MCELIECE348864F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/kem/issues/classic-mceliece-460896 b/tests/constant_time/kem/issues/classic-mceliece-460896 index 4108964c4..14cce9aed 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-460896 +++ b/tests/constant_time/kem/issues/classic-mceliece-460896 @@ -78,6 +78,22 @@ fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Cond + src:util.h:16 + # fun:store_i + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:util.h:17 + # fun:store_i + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 @@ -86,6 +102,14 @@ fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:util.h:78 + # fun:store8 + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-460896f b/tests/constant_time/kem/issues/classic-mceliece-460896f index 4eb3eaf8b..58b7a612c 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-460896f +++ b/tests/constant_time/kem/issues/classic-mceliece-460896f @@ -1,7 +1,23 @@ +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Cond + src:util.h:16 + # fun:store_i + fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:util.h:17 + # fun:store_i + fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -9,7 +25,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -17,7 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -25,7 +41,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:423 + src:pk_gen.c:422 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -33,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:437 + src:pk_gen.c:436 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -129,7 +145,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:442 + src:pk_gen.c:440 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -342,6 +358,14 @@ fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:437 + # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen + fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-6688128f b/tests/constant_time/kem/issues/classic-mceliece-6688128f index f59b36de5..8c63db87d 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6688128f +++ b/tests/constant_time/kem/issues/classic-mceliece-6688128f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:426 - fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - # fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:426 + src:pk_gen.c:425 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:440 + src:pk_gen.c:439 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -65,15 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:444 - # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:440 + src:pk_gen.c:443 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -201,15 +185,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 - # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Value8 - src:pk_gen.c:445 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/kem/issues/classic-mceliece-6960119 b/tests/constant_time/kem/issues/classic-mceliece-6960119 index b01c1b15c..2c8176911 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6960119 +++ b/tests/constant_time/kem/issues/classic-mceliece-6960119 @@ -81,7 +81,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:util.h:81 + src:util.h:78 # fun:store8 fun:PQCLEAN_MCELIECE6960119_AVX2_pk_gen } diff --git a/tests/constant_time/kem/issues/classic-mceliece-6960119f b/tests/constant_time/kem/issues/classic-mceliece-6960119f index 8b9544fd2..28d1a3c20 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6960119f +++ b/tests/constant_time/kem/issues/classic-mceliece-6960119f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:432 - # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:432 + src:pk_gen.c:431 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:446 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -65,7 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:450 + src:pk_gen.c:449 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -201,14 +193,6 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:451 - # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond src:pk_gen.c:450 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair diff --git a/tests/constant_time/kem/issues/classic-mceliece-8192128f b/tests/constant_time/kem/issues/classic-mceliece-8192128f index 7e2e569ba..bdd008263 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-8192128f +++ b/tests/constant_time/kem/issues/classic-mceliece-8192128f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:426 - # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:426 + src:pk_gen.c:425 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:441 + src:pk_gen.c:440 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -65,15 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 - # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:441 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -202,7 +186,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:446 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/sig/issues/falcon b/tests/constant_time/sig/issues/falcon index bc5bebe26..1e73c0eed 100644 --- a/tests/constant_time/sig/issues/falcon +++ b/tests/constant_time/sig/issues/falcon @@ -12,4 +12,12 @@ src:sign.c:1140 # fun:BerExp fun:PQCLEAN_FALCON*_AVX2_sampler -} \ No newline at end of file +} + +{ + This constant time error has not been studied/analysed. + Memcheck:Cond + src:fpr.h:352 + # fun:fpr_floor + fun:PQCLEAN_FALCON*_CLEAN_sampler +} From d06d64003ed8e37cf71d1885fd96e1eb57a2eccf Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 3 Sep 2024 17:17:34 -0400 Subject: [PATCH 36/41] Enable all McEliece variants in weekly tests [extended tests] Signed-off-by: Spencer Wilson --- .github/workflows/extended.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/extended.yml b/.github/workflows/extended.yml index 2f9c2753d..73bad5ba0 100644 --- a/.github/workflows/extended.yml +++ b/.github/workflows/extended.yml @@ -17,12 +17,12 @@ jobs: container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*' - name: extensions container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*' container: image: ${{ matrix.container }} steps: From 3f2a056a2f787bbc7689556218ca92ea2b3801eb Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 4 Sep 2024 10:35:35 -0400 Subject: [PATCH 37/41] Update permissions for workflows that call scorecard Signed-off-by: Spencer Wilson --- .github/workflows/commit-to-main.yml | 18 ++++++++++++++++++ .github/workflows/pr.yml | 18 ++++++++++++++++++ .github/workflows/weekly.yml | 18 ++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index 1a1d05e4a..100598154 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -15,6 +15,24 @@ jobs: scorecard: uses: ./.github/workflows/scorecard.yml secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read basic-downstream: uses: ./.github/workflows/downstream-basic.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 014677dbf..41776b6e6 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -22,3 +22,21 @@ jobs: needs: basic-checks uses: ./.github/workflows/scorecard.yml secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index cc815ea36..e1bf8fd94 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -14,6 +14,24 @@ jobs: scorecard: uses: ./.github/workflows/scorecard.yml secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read extended-tests: uses: ./.github/workflows/extended.yml From b029ac2894df3899dc5b9f565e4e016ce0ff3b1e Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 4 Sep 2024 10:57:44 -0400 Subject: [PATCH 38/41] Update boringssl to GitHub Actions Signed-off-by: Spencer Wilson --- .github/workflows/downstream-basic.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/downstream-basic.yml b/.github/workflows/downstream-basic.yml index 87b66efe8..9b087772e 100644 --- a/.github/workflows/downstream-basic.yml +++ b/.github/workflows/downstream-basic.yml @@ -16,12 +16,13 @@ jobs: run: | curl --silent \ --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master", "parameters": { "run_downstream_tests": true } }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/boringssl/pipeline | tee curl_out \ - && grep -q "201" curl_out + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/boringssl/dispatches | tee curl_out \ + && grep -q "204" curl_out - name: Trigger OQS-OpenSSH CI run: | curl --silent \ From 3e6b03448cb19776df685c381c59a4b4723b86b3 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 4 Sep 2024 11:23:19 -0400 Subject: [PATCH 39/41] REVERT: test out main branch workflow Signed-off-by: Spencer Wilson --- .github/workflows/commit-to-main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index 100598154..0f7808f06 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -5,7 +5,6 @@ permissions: on: push: - branches: ['main'] jobs: From 9ea3515db5d3319f6bd1afc2986ddd0fe1554a80 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 4 Sep 2024 12:27:58 -0400 Subject: [PATCH 40/41] Fix fail-fast logic for downstream trigger Signed-off-by: Spencer Wilson --- .github/workflows/downstream-basic.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/downstream-basic.yml b/.github/workflows/downstream-basic.yml index 9b087772e..a97cb6c53 100644 --- a/.github/workflows/downstream-basic.yml +++ b/.github/workflows/downstream-basic.yml @@ -8,11 +8,10 @@ on: [workflow_call, workflow_dispatch] jobs: trigger-downstream-ci: - strategy: - fail-fast: false runs-on: ubuntu-latest steps: - name: Trigger OQS-BoringSSL CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ @@ -24,6 +23,7 @@ jobs: https://api.github.com/repos/open-quantum-safe/boringssl/dispatches | tee curl_out \ && grep -q "204" curl_out - name: Trigger OQS-OpenSSH CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ @@ -35,6 +35,7 @@ jobs: https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \ && grep -q "204" curl_out - name: Trigger oqs-provider CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ @@ -45,6 +46,7 @@ jobs: https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \ && grep -q "201" curl_out - name: Trigger liboqs-cpp CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ @@ -56,6 +58,7 @@ jobs: https://api.github.com/repos/open-quantum-safe/liboqs-cpp/dispatches | tee curl_out \ && grep -q "204" curl_out - name: Trigger liboqs-go CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ @@ -67,6 +70,7 @@ jobs: https://api.github.com/repos/open-quantum-safe/liboqs-go/dispatches | tee curl_out \ && grep -q "204" curl_out - name: Trigger liboqs-python CI + if: ${{ !cancelled() }} # run all steps independent of failures run: | curl --silent \ --write-out "\n%{response_code}\n" \ From a8d4721d695af5bc108ac86afccc735171b779bb Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Wed, 4 Sep 2024 14:21:21 -0400 Subject: [PATCH 41/41] Revert "REVERT: test out main branch workflow" This reverts commit 1305d50af0a7ce1ffa5a73ae6fa7de91311185d3. Signed-off-by: Spencer Wilson --- .github/workflows/commit-to-main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index 0f7808f06..100598154 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -5,6 +5,7 @@ permissions: on: push: + branches: ['main'] jobs: