Skip to content

Merge pull request #370 from pq-code-package/indcpa #2493

Merge pull request #370 from pq-code-package/indcpa

Merge pull request #370 from pq-code-package/indcpa #2493

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0
name: CI
permissions:
contents: read
on:
workflow_dispatch:
push:
branches: ["main"]
pull_request:
branches: ["main"]
types: [ "opened", "synchronize" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
quickcheck:
strategy:
fail-fast: false
matrix:
external:
- ${{ github.repository_owner != 'pq-code-package' }}
target:
- runner: pqcp-arm64
name: 'aarch64'
- runner: ubuntu-latest
name: 'x86_64'
exclude:
- {external: true,
target: {
runner: pqcp-arm64,
name: 'aarch64'
}}
name: Quickcheck (${{ matrix.target.name }})
runs-on: ${{ matrix.target.runner }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: make quickcheck
run: |
OPT=0 make quickcheck >/dev/null
make clean >/dev/null
OPT=1 make quickcheck >/dev/null
- uses: ./.github/actions/setup-ubuntu
- name: tests func
run: |
./scripts/tests func
- name: check namespacing
run: |
./scripts/ci/check-namespace
build_kat:
needs: quickcheck
strategy:
fail-fast: false
matrix:
external:
- ${{ github.repository_owner != 'pq-code-package' }}
target:
- runner: macos-latest
name: 'MacOS'
- runner: pqcp-arm64
name: 'ubuntu-latest (aarch64)'
- runner: pqcp-x64
name: 'ubuntu-latest (x86_64)'
exclude:
- {external: true,
target: {
runner: pqcp-arm64,
name: 'ubuntu-latest (aarch64)',
}}
- {external: true,
target: {
runner: pqcp-x64,
name: 'ubuntu-latest (x86_64)',
}}
name: Functional tests (${{ matrix.target.name }})
runs-on: ${{ matrix.target.runner }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: native build
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: true
kat: true
- name: native tests (+debug+memsan+ubsan)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
- name: cross tests (opt only)
uses: ./.github/actions/multi-functest
if: ${{ matrix.target.runner != 'macos-latest' && (success() || failure()) }}
with:
nix-shell: ci-cross
nix-cache: true
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: cross
opt: opt
func: true
nistkat: true
kat: true
compiler_tests:
name: Compiler tests (${{ matrix.target.name }})
strategy:
fail-fast: false
matrix:
external:
- ${{ github.repository_owner != 'pq-code-package' }}
target:
- runner: pqcp-arm64
name: 'aarch64'
- runner: ubuntu-latest
name: 'x86_64'
exclude:
- {external: true,
target: {
runner: pqcp-arm64,
name: 'aarch64'
}}
runs-on: ${{ matrix.target.runner }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: native build+functest (gcc-4.8)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: false
kat: false
nix-shell: "ci_gcc48"
- name: native build+functest (gcc-4.9)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: false
kat: false
nix-shell: "ci_gcc49"
- name: native build+functest (gcc-7)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: false
kat: false
nix-shell: "ci_gcc7"
- name: native build+functest (gcc-11)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: false
kat: false
nix-shell: "ci_gcc11"
- name: native build+functest (clang-18)
uses: ./.github/actions/multi-functest
with:
gh_token: ${{ secrets.GITHUB_TOKEN }}
compile_mode: native
func: true
nistkat: false
kat: false
nix-shell: "ci_clang18"
lint:
strategy:
matrix:
system: [ubuntu-latest]
name: Linting
runs-on: ${{ matrix.system }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/lint
with:
nix-shell: ci-linter
gh_token: ${{ secrets.GITHUB_TOKEN }}
cross-prefix: "aarch64-unknown-linux-gnu-"
ec2_functests:
needs: quickcheck
strategy:
fail-fast: false
matrix:
target:
- name: AMD EPYC 4th gen (t3a)
ec2_instance_type: t3a.small
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0d47e137a1108e078 # x86_64 ubuntu-latest, 32g
compile_mode: native
opt: all
- name: Intel Xeon 4th gen (t3)
ec2_instance_type: t3.small
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0d47e137a1108e078 # x86_64 ubuntu-latest, 32g
compile_mode: native
opt: all
- name: Graviton2 (c6g.medium)
ec2_instance_type: c6g.medium
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: all
- name: Graviton3 (c7g.medium)
ec2_instance_type: c7g.medium
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: all
name: Functional tests (${{ matrix.target.name }})
permissions:
contents: 'read'
id-token: 'write'
uses: ./.github/workflows/ci_ec2_reusable.yml
if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
with:
name: ${{ matrix.target.name }}
ec2_instance_type: ${{ matrix.target.ec2_instance_type }}
ec2_ami: ${{ matrix.target.ec2_ami }}
ec2_ami_id: ${{ matrix.target.ec2_ami_id }}
compile_mode: ${{ matrix.target.compile_mode }}
opt: ${{ matrix.target.opt }}
functest: true
kattest: true
nistkattest: true
lint: false
verbose: true
secrets: inherit
cbmc_k2:
needs: quickcheck
permissions:
contents: 'read'
id-token: 'write'
uses: ./.github/workflows/ci_ec2_reusable.yml
if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
with:
name: CBMC (MLKEM-512)
ec2_instance_type: c7g.2xlarge
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: no_opt
lint: false
verbose: true
functest: true
kattest: false
nistkattest: false
cbmc: true
cbmc_mlkem_k: 2
secrets: inherit
cbmc_k3:
needs: quickcheck
permissions:
contents: 'read'
id-token: 'write'
uses: ./.github/workflows/ci_ec2_reusable.yml
if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
with:
name: CBMC (MLKEM-768)
ec2_instance_type: c7g.2xlarge
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: no_opt
lint: false
verbose: true
functest: true
kattest: false
nistkattest: false
cbmc: true
cbmc_mlkem_k: 3
secrets: inherit
cbmc_k4:
needs: quickcheck
permissions:
contents: 'read'
id-token: 'write'
uses: ./.github/workflows/ci_ec2_reusable.yml
if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
with:
name: CBMC (MLKEM-1024)
ec2_instance_type: c7g.2xlarge
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: no_opt
lint: false
verbose: true
functest: true
kattest: false
nistkattest: false
cbmc: true
cbmc_mlkem_k: 4
secrets: inherit