Skip to content

Commit 263f4c9

Browse files
committed
CI: Refactor to align with mlkem-native
This commit refactors our CI to split it in different workflows: Base, Extended, CBMC, Nix. This way we can first run the base CI before invoking the other workflows. It also allows the Extended and CBMC workflows to wait for the nix cache to be built in case it needs to change. Signed-off-by: Matthias J. Kannwischer <[email protected]>
1 parent 13bc4a4 commit 263f4c9

File tree

4 files changed

+299
-247
lines changed

4 files changed

+299
-247
lines changed

.github/workflows/all.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
2+
3+
name: CI
4+
permissions:
5+
contents: read
6+
on:
7+
workflow_dispatch:
8+
push:
9+
branches: ["main"]
10+
pull_request:
11+
branches: ["main"]
12+
types: [ "opened", "synchronize" ]
13+
14+
jobs:
15+
base:
16+
name: Base
17+
permissions:
18+
contents: 'read'
19+
id-token: 'write'
20+
uses: ./.github/workflows/base.yml
21+
secrets: inherit
22+
nix:
23+
name: Nix
24+
permissions:
25+
actions: 'write'
26+
contents: 'read'
27+
id-token: 'write'
28+
uses: ./.github/workflows/nix.yml
29+
secrets: inherit
30+
ci:
31+
name: Extended
32+
permissions:
33+
contents: 'read'
34+
id-token: 'write'
35+
needs: [ base, nix ]
36+
uses: ./.github/workflows/ci.yml
37+
secrets: inherit
38+
cbmc:
39+
name: CBMC
40+
permissions:
41+
contents: 'read'
42+
id-token: 'write'
43+
needs: [ base, nix ]
44+
uses: ./.github/workflows/cbmc.yml
45+
secrets: inherit

.github/workflows/base.yml

Lines changed: 173 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,173 @@
1+
# Copyright (c) The mlkem-native project authors
2+
# Copyright (c) The mldsa-native project authors
3+
# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
4+
5+
name: Base
6+
permissions:
7+
contents: read
8+
on:
9+
workflow_call:
10+
workflow_dispatch:
11+
12+
jobs:
13+
lint:
14+
strategy:
15+
fail-fast: false
16+
matrix:
17+
system: [ubuntu-latest, pqcp-arm64]
18+
name: Linting
19+
runs-on: ${{ matrix.system }}
20+
steps:
21+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
22+
- uses: ./.github/actions/lint
23+
with:
24+
nix-shell: ci-linter
25+
gh_token: ${{ secrets.GITHUB_TOKEN }}
26+
cross-prefix: "aarch64-unknown-linux-gnu-"
27+
lint-markdown-link:
28+
runs-on: ubuntu-latest
29+
steps:
30+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
31+
- uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # v1.0.17
32+
quickcheck:
33+
strategy:
34+
fail-fast: false
35+
matrix:
36+
external:
37+
- ${{ github.repository_owner != 'pq-code-package' }}
38+
target:
39+
- runner: pqcp-arm64
40+
name: 'aarch64'
41+
- runner: ubuntu-latest
42+
name: 'x86_64'
43+
- runner: macos-latest
44+
name: 'macos (aarch64)'
45+
- runner: macos-13
46+
name: 'macos (x86_64)'
47+
exclude:
48+
- {external: true,
49+
target: {
50+
runner: pqcp-arm64,
51+
name: 'aarch64'
52+
}}
53+
name: Quickcheck (${{ matrix.target.name }})
54+
runs-on: ${{ matrix.target.runner }}
55+
steps:
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
57+
- name: make quickcheck
58+
run: |
59+
OPT=0 make quickcheck
60+
make clean >/dev/null
61+
OPT=1 make quickcheck
62+
- uses: ./.github/actions/setup-os
63+
- name: tests func
64+
run: |
65+
./scripts/tests func
66+
quickcheck_bench:
67+
strategy:
68+
fail-fast: false
69+
matrix:
70+
external:
71+
- ${{ github.repository_owner != 'pq-code-package' }}
72+
target:
73+
- runner: pqcp-arm64
74+
name: 'aarch64'
75+
- runner: pqcp-arm64
76+
name: 'aarch64'
77+
- runner: ubuntu-latest
78+
name: 'x86_64'
79+
- runner: macos-latest
80+
name: 'macos (aarch64)'
81+
- runner: macos-13
82+
name: 'macos (x86_64)'
83+
exclude:
84+
- {external: true,
85+
target: {
86+
runner: pqcp-arm64,
87+
name: 'aarch64'
88+
}}
89+
name: Quickcheck bench (${{ matrix.target.name }})
90+
runs-on: ${{ matrix.target.runner }}
91+
steps:
92+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
93+
- name: "tests bench (cycles: NO)"
94+
run: |
95+
./scripts/tests bench -c NO
96+
- name: "tests bench (build only, cycles: PMU)"
97+
if: ${{ matrix.target.name != 'macos (aarch64)' && matrix.target.name != 'macos (x86_64)' }}
98+
run: |
99+
make clean
100+
./scripts/tests bench -c PMU --no-run
101+
- name: "tests bench (build only, cycles: PERF)"
102+
if: ${{ matrix.target.name != 'macos (aarch64)' && matrix.target.name != 'macos (x86_64)' }}
103+
run: |
104+
make clean
105+
./scripts/tests bench -c PERF --no-run
106+
- name: "tests bench (build only, cycles: MAC)"
107+
if: ${{ matrix.target.name == 'macos (aarch64)' || matrix.target.name == 'macos (x86_64)' }}
108+
run: |
109+
make clean
110+
./scripts/tests bench -c MAC --no-run
111+
- name: tests bench components
112+
run: |
113+
make clean
114+
./scripts/tests bench --components -c NO
115+
quickcheck-c90:
116+
strategy:
117+
fail-fast: false
118+
matrix:
119+
external:
120+
- ${{ github.repository_owner != 'pq-code-package' }}
121+
target:
122+
- runner: pqcp-arm64
123+
name: 'aarch64'
124+
- runner: ubuntu-latest
125+
name: 'x86_64'
126+
exclude:
127+
- {external: true,
128+
target: {
129+
runner: pqcp-arm64,
130+
name: 'aarch64'
131+
}}
132+
name: Quickcheck C90 (${{ matrix.target.name }})
133+
runs-on: ${{ matrix.target.runner }}
134+
steps:
135+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
136+
- name: make quickcheck
137+
run: |
138+
OPT=0 CFLAGS=-std=c90 make quickcheck
139+
make clean >/dev/null
140+
OPT=1 CFLAGS=-std=c90 make quickcheck
141+
- uses: ./.github/actions/setup-apt
142+
- name: tests func
143+
run: |
144+
./scripts/tests func --cflags="-std=c90"
145+
- name: tests bench
146+
run: |
147+
./scripts/tests bench -c NO --cflags="-std=c90"
148+
- name: tests bench components
149+
run: |
150+
./scripts/tests bench --components -c NO --cflags="-std=c90"
151+
scan-build:
152+
strategy:
153+
fail-fast: false
154+
matrix:
155+
external:
156+
- ${{ github.repository_owner != 'pq-code-package' }}
157+
target:
158+
- runner: pqcp-arm64
159+
name: 'aarch64'
160+
- runner: ubuntu-latest
161+
name: 'x86_64'
162+
name: scan-build (${{ matrix.target.name }})
163+
runs-on: ${{ matrix.target.runner }}
164+
steps:
165+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
166+
- uses: ./.github/actions/setup-apt
167+
with:
168+
packages: clang-tools clang
169+
- name: make quickcheck
170+
run: |
171+
scan-build --status-bugs make quickcheck OPT=0
172+
make clean >/dev/null
173+
scan-build --status-bugs make quickcheck OPT=1

.github/workflows/cbmc.yml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
2+
3+
name: CBMC
4+
permissions:
5+
contents: read
6+
on:
7+
workflow_call:
8+
workflow_dispatch:
9+
10+
jobs:
11+
cbmc_44:
12+
name: CBMC (ML-DSA-44)
13+
if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }}
14+
permissions:
15+
contents: 'read'
16+
id-token: 'write'
17+
uses: ./.github/workflows/ci_ec2_reusable.yml
18+
with:
19+
name: CBMC (ML-DSA-44)
20+
ec2_instance_type: c7g.8xlarge
21+
ec2_ami: ubuntu-latest (custom AMI)
22+
ec2_ami_id: ami-0d7f502261b31b27f # aarch64, ubuntu-latest, 64g
23+
compile_mode: native
24+
opt: no_opt
25+
lint: false
26+
verbose: true
27+
functest: true
28+
kattest: false
29+
nistkattest: false
30+
acvptest: false
31+
cbmc: true
32+
cbmc_mldsa_mode: 2
33+
secrets: inherit
34+
cbmc_65:
35+
name: CBMC (ML-DSA-65)
36+
if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }}
37+
permissions:
38+
contents: 'read'
39+
id-token: 'write'
40+
uses: ./.github/workflows/ci_ec2_reusable.yml
41+
with:
42+
name: CBMC (ML-DSA-65)
43+
ec2_instance_type: c7g.8xlarge
44+
ec2_ami: ubuntu-latest (custom AMI)
45+
ec2_ami_id: ami-0d7f502261b31b27f # aarch64, ubuntu-latest, 64g
46+
compile_mode: native
47+
opt: no_opt
48+
lint: false
49+
verbose: true
50+
functest: true
51+
kattest: false
52+
nistkattest: false
53+
acvptest: false
54+
cbmc: true
55+
cbmc_mldsa_mode: 3
56+
secrets: inherit
57+
cbmc_87:
58+
name: CBMC (ML-DSA-87)
59+
if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }}
60+
permissions:
61+
contents: 'read'
62+
id-token: 'write'
63+
uses: ./.github/workflows/ci_ec2_reusable.yml
64+
with:
65+
name: CBMC (ML-DSA-87)
66+
ec2_instance_type: c7g.8xlarge
67+
ec2_ami: ubuntu-latest (custom AMI)
68+
ec2_ami_id: ami-0d7f502261b31b27f # aarch64, ubuntu-latest, 64g
69+
compile_mode: native
70+
opt: no_opt
71+
lint: false
72+
verbose: true
73+
functest: true
74+
kattest: false
75+
nistkattest: false
76+
acvptest: false
77+
cbmc: true
78+
cbmc_mldsa_mode: 5
79+
secrets: inherit

0 commit comments

Comments
 (0)