Hoist CI components into reusable actions and workflows (#122)

* Hoist functional tests into composite action Signed-off-by: Hanno Becker <[email protected]> * Hoist benchmarking into reusable job Signed-off-by: Hanno Becker <[email protected]> * Hoist CI components into reusable workflows Signed-off-by: Hanno Becker <[email protected]> * Add triggerable workflow for CI on EC2 Fixes #118 Signed-off-by: Hanno Becker <[email protected]> * Move reusable workflows into actions Signed-off-by: Hanno Becker <[email protected]> * Reduce nix output Signed-off-by: Hanno Becker <[email protected]> * Address review feedback Signed-off-by: Hanno Becker <[email protected]> --------- Signed-off-by: Hanno Becker <[email protected]>
pq-code-package · Sep 11, 2024 · e3d21eb · e3d21eb
1 parent bc53aaf
commit e3d21eb
Show file tree

Hide file tree

Showing 12 changed files with 396 additions and 155 deletions.
diff --git a/.github/actions/bench/action.yml b/.github/actions/bench/action.yml
@@ -32,24 +32,46 @@ inputs:
   gh_token:
      description: GitHub access token
      required: true
+  use-nix:
+    description: Whether to run in the default Nix environment
+    default: true
+  custom_shell:
+    description: The shell to use. Only relevant if use-nix is 'false'
+    default: 'bash'
 runs:
   using: composite
   steps:
-      - name: Run benchmark
-        shell: nix develop .#ci -c bash -e {0}
-        run: |
-          tests bench -c ${{ inputs.perf }} --cflags "${{ inputs.cflags }}" --arch-flags "${{ inputs.archflags }}" -v --output output.json ${{ inputs.bench_extra_args }}
-      - name: Dump benchmark
-        shell: bash
-        if: ${{ inputs.store_results != 'true' }}
-        run: |
-          cat output.json
-      - name: Store benchmark result
-        if: ${{ inputs.store_results == 'true' }}
-        uses: benchmark-action/github-action-benchmark@v1
-        with:
-          name: ${{ inputs.name }}
-          tool: 'customSmallerIsBetter'
-          output-file-path: output.json
-          github-token: ${{ inputs.gh_token }}
-          auto-push: true
+    - name: Setup nix
+      if: ${{ inputs.use-nix }}
+      uses: ./.github/actions/setup-nix
+      with:
+        devShell: ci
+        script: |
+          ARCH=$(uname -m)
+          cat >> $GITHUB_STEP_SUMMARY <<-EOF
+            ## Setup
+            Architecture: $ARCH
+            - $(uname -a)
+            - $(nix --version)
+            - $(${{ matrix.target.cross_prefix }}gcc --version | grep -m1 "")
+            - $(bash --version | grep -m1 "")
+
+            ## CPU Info
+            $(cat /proc/cpuinfo)
+          EOF
+    - name: Set shell
+      shell: bash
+      run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV
+    - name: Run benchmark
+      shell: ${{ env.SHELL }}
+      run: |
+        tests bench -c ${{ inputs.perf }} --cflags "${{ inputs.cflags }}" --arch-flags "${{ inputs.archflags }}" -v --output output.json ${{ inputs.bench_extra_args }}
+    - name: Store benchmark result
+      if: ${{ inputs.store_results == 'true' }}
+      uses: benchmark-action/github-action-benchmark@v1
+      with:
+        name: ${{ inputs.name }}
+        tool: 'customSmallerIsBetter'
+        output-file-path: output.json
+        github-token: ${{ inputs.gh_token }}
+        auto-push: true
diff --git a/.github/actions/cbmc/action.yml b/.github/actions/cbmc/action.yml
@@ -0,0 +1,47 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: CBMC
+description: Run CBMC proofs for MLKEM-C_AArch64
+
+inputs:
+  use-nix:
+    description: Whether to run in the default Nix environment
+    default: true
+  custom_shell:
+    description: The shell to use. Only relevant if use-nix is 'false'
+    default: 'bash'
+  cross-prefix:
+    description: Binary prefix for cross compilation
+    default: ''
+runs:
+  using: composite
+  steps:
+      - uses: actions/checkout@v4
+      - name: Setup nix
+        if: ${{ inputs.use-nix }}
+        uses: ./.github/actions/setup-nix
+        with:
+          devShell: ci-cbmc
+          script: |
+            cat >> $GITHUB_STEP_SUMMARY << EOF
+              ## Setup
+              Architecture: $(uname -m)
+              - $(nix --version)
+              - $(cbmc --version)
+              - litani Version $(litani --version)
+              - Cadical Version $(cadical --version)
+              - $(${{ inputs.cross_prefix }}gcc --version | grep -m1 "")
+              - $(bash --version | grep -m1 "")
+            EOF
+      - name: Set shell
+        shell: bash
+        run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci-cbmc -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV
+      - name: Run CBMC proofs
+        shell: ${{ env.SHELL }}
+        run: |
+          cd cbmc/proofs;
+          echo "::group::cbmc"
+          KYBER_K=2 ./run-cbmc-proofs.py --summarize;
+          KYBER_K=3 ./run-cbmc-proofs.py --summarize;
+          KYBER_K=4 ./run-cbmc-proofs.py --summarize;
+          echo "::endgroup::"
diff --git a/.github/actions/functest/action.yml b/.github/actions/functest/action.yml
@@ -0,0 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Functional tests
+description: Run functional tests for MLKEM-C_AArch64
+
+inputs:
+  use-nix:
+    description: Whether to run in the default Nix environment
+    default: true
+  cflags:
+    description: CFLAGS to pass to compilation
+    default: ''
+  cross-prefix:
+    description: Binary prefix for cross compilation
+    default: ''
+runs:
+  using: composite
+  steps:
+      - name: Setup nix
+        uses: ./.github/actions/setup-nix
+        if: ${{ inputs.use-nix }}
+        with:
+          devShell: ci
+          script: |
+            ARCH=$(uname -m)
+            cat >> $GITHUB_STEP_SUMMARY <<-EOF
+              ## Setup
+              Architecture: $ARCH
+              - $(uname -a)
+              - $(nix --version)
+              - $(${{ inputs.cross-prefix }}gcc --version | grep -m1 "")
+              - $(bash --version | grep -m1 "")
+            EOF
+      - name: Set shell
+        shell: bash
+        run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV
+      - name: Run functional tests
+        id: func_test
+        shell: ${{ env.SHELL }}
+        run: |
+          echo "::group::func_test"
+          tests func --cross-prefix=${{ inputs.cross-prefix }} --cflags ${{ inputs.cflags }} -v
+          echo "::endgroup::"
+      - name: Run KAT tests
+        if: |
+          success()
+          || steps.func_test.conclusion == 'failure'
+        id: kat_test
+        shell: ${{ env.SHELL }}
+        run: |
+          echo "::group::func_test"
+          tests kat --cross-prefix=${{ inputs.cross-prefix }} --cflags ${{ inputs.cflags }} -v
+          echo "::endgroup::"
+      - name: Run Nistkat tests
+        id: nistkat_test
+        if: |
+          success()
+          || steps.func_test.conclusion == 'failure'
+          || steps.kat_test.conclusion == 'failure'
+        shell: ${{ env.SHELL }}
+        run: |
+          echo "::group::func_test"
+          tests nistkat --cross-prefix=${{ inputs.cross-prefix }} --cflags ${{ inputs.cflags }} -v
+          echo "::endgroup::"
diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml
@@ -0,0 +1,41 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Lint
+description: Lint MLKEM-C_AArch64
+
+inputs:
+  use-nix:
+    description: Whether to run in the default Nix environment
+    default: true
+  custom_shell:
+    description: The shell to use. Only relevant if use-nix is 'false'
+    default: 'bash'
+  cross-prefix:
+    description: Binary prefix for cross compilation
+    default: ''
+runs:
+  using: composite
+  steps:
+      - name: Setup nix
+        if: ${{ inputs.use-nix }}
+        uses: ./.github/actions/setup-nix
+        with:
+          devShell: ci-linter
+          script: |
+            cat >> $GITHUB_STEP_SUMMARY << EOF
+              ## Setup
+              Architecture: $(uname -m)
+              - $(uname -a)
+              - $(nix --version)
+              - $(astyle --version)
+              - $(${{ matrix.target.cross-prefix }}gcc --version | grep -m1 "")
+              - $(bash --version | grep -m1 "")
+            EOF
+      - name: Set shell
+        shell: bash
+        run: echo SHELL="${{ inputs.use-nix && 'nix develop .#ci-linter -c bash -e {0}' || inputs.custom_shell }}" >> $GITHUB_ENV
+      - name: Run linter
+        shell: ${{ env.SHELL }}
+        run: |
+          echo "## Lint & Checks" >> $GITHUB_STEP_SUMMARY
+          lint
diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml
@@ -17,10 +17,10 @@ runs:
     - uses: DeterminateSystems/nix-installer-action@v13
     - uses: DeterminateSystems/magic-nix-cache-action@v7
     - name: Prepare nix dev shell
-      shell: nix develop .#${{ inputs.devShell }} -c bash -e {0}
+      shell: nix develop --quiet .#${{ inputs.devShell }} -c bash -e {0}
       run: |
     - name: Dependency check
-      shell: nix develop .#${{ inputs.devShell }} -c bash -e {0}
+      shell: nix develop --quiet .#${{ inputs.devShell }} -c bash -e {0}
       if: inputs.script != ''
       env:
         INPUT_SCRIPT: ${{ inputs.script }}

diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -32,40 +32,16 @@ jobs:
           archflags: "-mcpu=cortex-a55 -march=armv8.2-a"
           cflags: "-static -DFORCE_AARCH64"
           bench_extra_args: -w exec-on-a55
-    runs-on: self-hosted-${{ matrix.target.system }}
-    defaults:
-      run:
-        shell: nix develop .#ci -c bash -e {0}
-    permissions:
-      contents: write
     if: github.repository_owner == 'pq-code-package' && (github.event.label.name == 'benchmark' || github.ref == 'refs/heads/main')
+    runs-on: self-hosted-${{ matrix.target.system }}
     steps:
       - uses: actions/checkout@v4
-      - name: Setup nix
-        uses: ./.github/actions/setup-nix
-        with:
-          devShell: ci
-          script: |
-            ARCH=$(uname -m)
-            cat >> $GITHUB_STEP_SUMMARY <<-EOF
-              ## Setup
-              Architecture: $ARCH
-              - $(uname -a)
-              - $(nix --version)
-              - $(astyle --version)
-              - $(${{ matrix.target.cross_prefix }}gcc --version | grep -m1 "")
-              - $(bash --version | grep -m1 "")
-
-              ## CPU Info
-              $(cat /proc/cpuinfo)
-            EOF
-      - name: Run benchmark
-        uses: ./.github/actions/bench
+      - uses: ./.github/actions/bench
         with:
           name: ${{ matrix.target.name }}
           cflags: ${{ matrix.target.cflags }}
           archflags: ${{ matrix.target.archflags }}
           perf: ${{ matrix.target.bench_pmu }}
           store_results: ${{ github.repository_owner == 'pq-code-package' && github.ref == 'refs/heads/main' }}
           bench_extra_args: ${{ matrix.target.bench_extra_args }}
-          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
diff --git a/.github/workflows/bench_ec2_all.yml b/.github/workflows/bench_ec2_all.yml
@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+
 name: Bench EC2
 on:
   workflow_dispatch:

diff --git a/.github/workflows/bench_ec2_any.yml b/.github/workflows/bench_ec2_any.yml
@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+
 name: bench-ec2-any
 on:
   workflow_dispatch:

diff --git a/.github/workflows/bench_ec2_reusable.yml b/.github/workflows/bench_ec2_reusable.yml
@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+
 name: bench-ec2-reusable
 on:
   workflow_call:
@@ -72,31 +74,13 @@ jobs:
           security-group-id: sg-0ab2e297196c8c381
   bench:
     name: Bench ${{ inputs.name }}
+    runs-on: ${{ needs.start-ec2-runner.outputs.label }}
     needs: start-ec2-runner # required to start the main job when the runner is ready
-    runs-on: ${{ needs.start-ec2-runner.outputs.label }} # run the job on the newly created runner
     steps:
       - uses: actions/checkout@v4
-      - name: Setup nix
-        uses: ./.github/actions/setup-nix
-        with:
-          devShell: ci
-          script: |
-            ARCH=$(uname -m)
-            cat >> $GITHUB_STEP_SUMMARY <<-EOF
-              ## Setup
-              Architecture: $ARCH
-              - $(uname -a)
-              - $(nix --version)
-              - $(astyle --version)
-              - $(${{ matrix.target.cross_prefix }}gcc --version | grep -m1 "")
-              - $(bash --version | grep -m1 "")
-
-              ## CPU Info
-              $(cat /proc/cpuinfo)
-            EOF
-      - name: Run benchmark
-        uses: ./.github/actions/bench
+      - uses: ./.github/actions/bench
         with:
+          use-nix: true
           name: ${{ inputs.name }}
           cflags: ${{ inputs.cflags }}
           archflags: ${{ inputs.archflags }}