Skip to content
PR hardening contract

Bootstrap repo to confirmed paper1 snapshot #1

Sign in to view logs

Bootstrap repo to confirmed paper1 snapshot

Bootstrap repo to confirmed paper1 snapshot #1

Workflow file for this run

.github/workflows/pr-hardening-contract.yml at 2887d27
name: PR hardening contract
on:
pull_request:
types: [opened, edited, synchronize, reopened]
workflow_dispatch:
permissions:
contents: read
pull-requests: read
jobs:
hardening-contract:
name: hardening contract
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
persist-credentials: false
- name: Validate PR hardening contract
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_BODY: ${{ github.event.pull_request.body }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
python3 - <<'PY'
import os
import subprocess
import sys
pr_number = os.environ.get("PR_NUMBER") or ""
base = os.environ.get("BASE_SHA") or ""
head = os.environ.get("HEAD_SHA") or ""
body = os.environ.get("PR_BODY") or ""
if not pr_number:
print("No pull_request context; skipping hardening contract.")
sys.exit(0)
for rev_name, rev in (("BASE_SHA", base), ("HEAD_SHA", head)):
if not rev:
print(f"{rev_name} is missing; skipping hardening contract.")
sys.exit(0)
result = subprocess.run(
["git", "rev-parse", "--verify", "--quiet", rev],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
if result.returncode != 0:
print(f"{rev_name} does not resolve locally; skipping hardening contract.")
sys.exit(0)
changed = subprocess.check_output(
["git", "diff", "--name-only", f"{base}...{head}"],
text=True,
).splitlines()
trusted_prefixes = (
"src/stwo_backend/",
"src/bin/tvm.rs",
"src/proof.rs",
"src/verification.rs",
"tests/",
".github/workflows/",
"scripts/local_merge_gate.sh",
"scripts/run_",
"scripts/hardening_test_names.sh",
"docs/engineering/hardening-policy.md",
"docs/engineering/hardening-strategy.md",
"zizmor.yml",
)
touches_trusted_core = any(
path.startswith(trusted_prefixes) or path in trusted_prefixes
for path in changed
)
if not touches_trusted_core:
print("No trusted-core paths changed; skipping hardening contract.")
sys.exit(0)
required_snippets = ["## Validation", "## Hardening"]
missing = [snippet for snippet in required_snippets if snippet not in body]
if missing:
print("Trusted-core PRs must include the hardening contract in the PR body.")
print("Missing snippets:")
for snippet in missing:
print(f" - {snippet}")
sys.exit(1)
required_checked_lines = [
"- [x] targeted regression and tamper-path coverage added or updated",
"- [x] oracle or differential checks added/updated, or marked not applicable below",
"- [x] resource-bound / untrusted-input impact reviewed, or marked not applicable below",
"- [x] Kani / formal-kernel impact reviewed, or marked not applicable below",
]
lower_body = body.lower()
body_lines = [line.strip().lower() for line in lower_body.splitlines()]
unchecked = []
for line in required_checked_lines:
if line in body:
continue
item_text = line[len("- [x] "):].lower()
line_has_na = any(
item_text in candidate
and ("n/a" in candidate or "not applicable" in candidate)
for candidate in body_lines
)
if not line_has_na:
unchecked.append(line)
if unchecked:
print("Trusted-core PRs must check each hardening item or document it as N/A.")
print("Unchecked or undocumented items:")
for line in unchecked:
print(f" - {line}")
sys.exit(1)
print("Trusted-core PR body includes the hardening contract.")
PY