Skip to content

CI

CI #3411

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0
name: CI
permissions:
contents: read
on:
workflow_dispatch:
push:
branches: ["main"]
pull_request:
branches: ["main"]
types: [ "opened", "synchronize" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
strategy:
matrix:
system: [ubuntu-latest]
name: Linting
runs-on: ${{ matrix.system }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/lint
with:
nix-shell: ci-linter
gh_token: ${{ secrets.GITHUB_TOKEN }}
cross-prefix: "aarch64-unknown-linux-gnu-"
lint-markdown-link:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
# quickcheck:
# strategy:
# fail-fast: false
# matrix:
# external:
# - ${{ github.repository_owner != 'pq-code-package' }}
# target:
# - runner: pqcp-arm64
# name: 'aarch64'
# - runner: ubuntu-latest
# name: 'x86_64'
# exclude:
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'aarch64'
# }}
# name: Quickcheck (${{ matrix.target.name }})
# runs-on: ${{ matrix.target.runner }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: make quickcheck
# run: |
# OPT=0 make quickcheck >/dev/null
# make clean >/dev/null
# OPT=1 make quickcheck >/dev/null
# - uses: ./.github/actions/setup-ubuntu
# - name: tests func
# run: |
# ./scripts/tests func
# - name: check namespacing
# run: |
# ./scripts/ci/check-namespace
# quickcheck-c90:
# strategy:
# fail-fast: false
# matrix:
# external:
# - ${{ github.repository_owner != 'pq-code-package' }}
# target:
# - runner: pqcp-arm64
# name: 'aarch64'
# - runner: ubuntu-latest
# name: 'x86_64'
# exclude:
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'aarch64'
# }}
# name: Quickcheck C90 (${{ matrix.target.name }})
# runs-on: ${{ matrix.target.runner }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: make quickcheck
# run: |
# OPT=0 CPPFLAGS=-std=c90 make quickcheck >/dev/null
# make clean >/dev/null
# OPT=1 CPPFLAGS=-std=c90 make quickcheck >/dev/null
# - uses: ./.github/actions/setup-ubuntu
# - name: tests func
# run: |
# CPPFLAGS="-std=c90" ./scripts/tests func
# - name: check namespacing
# run: |
# ./scripts/ci/check-namespace
# quickcheck-windows:
# name: Quickcheck windows-latest
# runs-on: windows-latest
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
# - name: Build test
# shell: powershell
# run: |
# # print compiler version
# cl
# nmake /f ./Makefile.Microsoft_nmake quickcheck
# quickcheck-lib:
# name: Quickcheck lib
# strategy:
# matrix:
# system: [macos-latest, ubuntu-latest]
# runs-on: ${{ matrix.system }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: make lib
# run: |
# make lib
# examples:
# name: Examples
# strategy:
# matrix:
# system: [macos-latest, ubuntu-latest]
# runs-on: ${{ matrix.system }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: mlkem_native_as_code_package
# run: |
# make run -C examples/mlkem_native_as_code_package
# - name: bring_your_own_fips202
# run: |
# make run -C examples/bring_your_own_fips202
# - name: custom_backend
# run: |
# make run -C examples/custom_backend
# build_kat:
# strategy:
# fail-fast: false
# matrix:
# external:
# - ${{ github.repository_owner != 'pq-code-package' }}
# target:
# - runner: macos-latest
# name: 'MacOS'
# arch: mac
# mode: native
# - runner: pqcp-arm64
# name: 'ubuntu-latest (aarch64)'
# arch: aarch64
# mode: native
# - runner: pqcp-arm64
# name: 'ubuntu-latest (aarch64)'
# arch: x86_64
# mode: cross-x86_64
# - runner: pqcp-arm64
# name: 'ubuntu-latest (aarch64)'
# arch: riscv64
# mode: cross-riscv64
# - runner: pqcp-x64
# name: 'ubuntu-latest (x86_64)'
# arch: x86_64
# mode: native
# - runner: pqcp-x64
# name: 'ubuntu-latest (x86_64)'
# arch: aarch64
# mode: cross-aarch64
# - runner: pqcp-x64
# name: 'ubuntu-latest (x86_64)'
# arch: aarch64_be
# mode: cross-aarch64_be
# exclude:
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'ubuntu-latest (aarch64)',
# arch: aarch64,
# mode: native
# }}
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'ubuntu-latest (aarch64)',
# arch: x86_64,
# mode: cross-x86_64
# }}
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'ubuntu-latest (aarch64)',
# arch: riscv64,
# mode: cross-riscv64
# }}
# - {external: true,
# target: {
# runner: pqcp-x64,
# name: 'ubuntu-latest (x86_64)',
# arch: x86_64,
# mode: native
# }}
# - {external: true,
# target: {
# runner: pqcp-x64,
# name: 'ubuntu-latest (x86_64)',
# arch: aarch64,
# mode: cross-aarch64
# }}
# - {external: true,
# target: {
# runner: pqcp-x64,
# name: 'ubuntu-latest (x86_64)',
# arch: aarch64_be,
# mode: cross-aarch64_be
# }}
# name: Functional tests (${{ matrix.target.arch }}${{ matrix.target.mode != 'native' && ', cross' || ''}})
# runs-on: ${{ matrix.target.runner }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: build + test
# uses: ./.github/actions/multi-functest
# with:
# nix-shell: ${{ matrix.target.mode == 'native' && 'ci' || 'ci-cross' }}
# nix-cache: ${{ matrix.target.mode == 'native' && 'false' || 'true' }}
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: ${{ matrix.target.mode }}
# # There is no native code on R-V or AArch64_be yet, so no point running opt tests
# opt: ${{ (matrix.target.arch != 'riscv64' && matrix.target.arch != 'aarch64_be') && 'all' || 'no_opt' }}
# - name: build + test (+debug+memsan+ubsan)
# uses: ./.github/actions/multi-functest
# if: ${{ matrix.target.mode == 'native' }}
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# cflags: "-DMLKEM_DEBUG -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
# compiler_tests:
# name: Compiler tests (${{ matrix.target.name }})
# strategy:
# fail-fast: false
# matrix:
# external:
# - ${{ github.repository_owner != 'pq-code-package' }}
# target:
# - runner: pqcp-arm64
# name: 'aarch64'
# - runner: ubuntu-latest
# name: 'x86_64'
# - runner: macos-latest
# name: 'macos'
# exclude:
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'aarch64'
# }}
# runs-on: ${{ matrix.target.runner }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: native build+functest (gcc-4.8)
# if: ${{ matrix.target.runner != 'macos-latest' }}
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_gcc48"
# - name: native build+functest (gcc-4.9)
# if: ${{ matrix.target.runner != 'macos-latest' }}
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_gcc49"
# - name: native build+functest (gcc-7)
# if: ${{ matrix.target.runner != 'macos-latest' }}
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_gcc7"
# - name: native build+functest (gcc-11)
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_gcc11"
# - name: native build+functest (gcc-14)
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_gcc14"
# - name: native build+functest (clang-18)
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# func: true
# nistkat: false
# kat: false
# acvp: false
# nix-shell: "ci_clang18"
# # The purpose of this job is to test non-default yet valid configurations
# config_variations:
# name: Non-standard configurations
# strategy:
# fail-fast: false
# matrix:
# external:
# - ${{ github.repository_owner != 'pq-code-package' }}
# target:
# - runner: pqcp-arm64
# name: 'ubuntu-latest (aarch64)'
# - runner: pqcp-x64
# name: 'ubuntu-latest (x86_64)'
# exclude:
# - {external: true,
# target: {
# runner: pqcp-arm64,
# name: 'ubuntu-latest (aarch64)',
# }}
# - {external: true,
# target: {
# runner: pqcp-x64,
# name: 'ubuntu-latest (x86_64)',
# }}
# runs-on: ${{ matrix.target.runner }}
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: "MLKEM_GEN_MATRIX_NBLOCKS=1"
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# cflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -DMLKEM_GEN_MATRIX_NBLOCKS=1"
# func: true
# nistkat: true
# kat: false
# acvp: false
# - name: "MLKEM_GEN_MATRIX_NBLOCKS=2"
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# cflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -DMLKEM_GEN_MATRIX_NBLOCKS=2"
# func: true
# nistkat: true
# kat: false
# acvp: false
# - name: "MLKEM_GEN_MATRIX_NBLOCKS=4"
# uses: ./.github/actions/multi-functest
# with:
# gh_token: ${{ secrets.GITHUB_TOKEN }}
# compile_mode: native
# cflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -DMLKEM_GEN_MATRIX_NBLOCKS=4"
# func: true
# nistkat: true
# kat: false
# acvp: false
ec2_functests:
strategy:
fail-fast: false
matrix:
target:
- name: AMD EPYC 4th gen (t3a)
ec2_instance_type: t3a.small
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0d47e137a1108e078 # x86_64 ubuntu-latest, 32g
compile_mode: native
opt: all
- name: Intel Xeon 4th gen (t3)
ec2_instance_type: t3.small
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0d47e137a1108e078 # x86_64 ubuntu-latest, 32g
compile_mode: native
opt: all
- name: Graviton2 (c6g.medium)
ec2_instance_type: c6g.medium
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0f4b26c5372aa0525 # ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: all
- name: Graviton3 (c7g.medium)
ec2_instance_type: c7g.medium
ec2_ami: ubuntu-latest (custom AMI)
ec2_ami_id: ami-0f4b26c5372aa0525 # ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
compile_mode: native
opt: all
name: Platform tests (${{ matrix.target.name }})
permissions:
contents: 'read'
id-token: 'write'
uses: ./.github/workflows/ci_ec2_reusable.yml
if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
with:
name: ${{ matrix.target.name }}
ec2_instance_type: ${{ matrix.target.ec2_instance_type }}
ec2_ami: ${{ matrix.target.ec2_ami }}
ec2_ami_id: ${{ matrix.target.ec2_ami_id }}
compile_mode: ${{ matrix.target.compile_mode }}
opt: ${{ matrix.target.opt }}
functest: true
kattest: true
nistkattest: true
acvptest: true
lint: false
verbose: true
secrets: inherit
# cbmc_k2:
# name: CBMC (ML-KEM-512)
# needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint, lint-markdown-link]
# permissions:
# contents: 'read'
# id-token: 'write'
# uses: ./.github/workflows/ci_ec2_reusable.yml
# if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
# with:
# name: CBMC (MLKEM-512)
# ec2_instance_type: c7g.2xlarge
# ec2_ami: ubuntu-latest (custom AMI)
# ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
# compile_mode: native
# opt: no_opt
# lint: false
# verbose: true
# functest: true
# kattest: false
# nistkattest: false
# acvptest: false
# cbmc: true
# cbmc_mlkem_k: 2
# secrets: inherit
# cbmc_k3:
# name: CBMC (ML-KEM-768)
# needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint, lint-markdown-link]
# permissions:
# contents: 'read'
# id-token: 'write'
# uses: ./.github/workflows/ci_ec2_reusable.yml
# if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
# with:
# name: CBMC (MLKEM-768)
# ec2_instance_type: c7g.2xlarge
# ec2_ami: ubuntu-latest (custom AMI)
# ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
# compile_mode: native
# opt: no_opt
# lint: false
# verbose: true
# functest: true
# kattest: false
# nistkattest: false
# acvptest: false
# cbmc: true
# cbmc_mlkem_k: 3
# secrets: inherit
# cbmc_k4:
# name: CBMC (ML-KEM-1024)
# needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint, lint-markdown-link]
# permissions:
# contents: 'read'
# id-token: 'write'
# uses: ./.github/workflows/ci_ec2_reusable.yml
# if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
# with:
# name: CBMC (MLKEM-1024)
# ec2_instance_type: c7g.2xlarge
# ec2_ami: ubuntu-latest (custom AMI)
# ec2_ami_id: ami-08ddb0acd99dc3d33 # aarch64, ubuntu-latest, 64g
# compile_mode: native
# opt: no_opt
# lint: false
# verbose: true
# functest: true
# kattest: false
# nistkattest: false
# acvptest: false
# cbmc: true
# cbmc_mlkem_k: 4
# secrets: inherit