-
Notifications
You must be signed in to change notification settings - Fork 14
376 lines (324 loc) · 13.1 KB
/
ci.yml
File metadata and controls
376 lines (324 loc) · 13.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
name: CI
permissions:
contents: read
on:
pull_request:
paths:
- ".github/workflows/**"
- "src/**/*.rs"
- "tests/**"
- "programs/**"
- "scripts/*.sh"
- "scripts/**/*.sh"
- "docs/engineering/hardening-policy.md"
- "docs/engineering/hardening-strategy.md"
- "zizmor.yml"
- "deny.toml"
- "Cargo.toml"
- "Cargo.lock"
- "fuzz/Cargo.toml"
- "fuzz/Cargo.lock"
- "vendor/onnx-protobuf/**"
push:
branches:
- "main"
schedule:
- cron: "17 4 * * *"
workflow_dispatch:
jobs:
pr-smoke:
name: lightweight PR lib smoke
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
fetch-depth: 0
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: stable
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Restore pinned nightly toolchain cache
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809
with:
path: |
~/.rustup/toolchains/nightly-2025-07-14-*
~/.rustup/downloads
~/.rustup/update-hashes
key: rustup-nightly-2025-07-14-${{ runner.os }}-${{ runner.arch }}
- name: Validate local merge gate script
run: |
sudo apt-get update
sudo apt-get install -y shellcheck python3-pip
bash scripts/run_shellcheck_suite.sh
- name: Run workflow audit when workflow surfaces change
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
changed_workflow_inputs="$(git diff --name-only "$BASE_SHA...$HEAD_SHA" -- .github/workflows/ zizmor.yml)" || {
echo "workflow audit diff computation failed" >&2
exit 1
}
if [[ -z "$changed_workflow_inputs" ]]; then
echo "workflow audit not required for this PR"
exit 0
fi
python3 -m pip install --user uv
export PATH="$HOME/.local/bin:$PATH"
bash scripts/run_workflow_audit_suite.sh
- name: Run dependency audit when dependency surfaces change
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
changed_dependency_inputs="$(git diff --name-only "$BASE_SHA...$HEAD_SHA" -- Cargo.toml Cargo.lock fuzz/Cargo.toml fuzz/Cargo.lock deny.toml scripts/run_dependency_audit_suite.sh vendor/onnx-protobuf/)" || {
echo "dependency audit diff computation failed" >&2
exit 1
}
if [[ -z "$changed_dependency_inputs" ]]; then
echo "dependency audit not required for this PR"
exit 0
fi
audit_root="$RUNNER_TEMP/dependency-audit-tools"
cargo install --locked cargo-audit --version 0.22.1 --root "$audit_root"
cargo install --locked cargo-deny --version 0.19.0 --root "$audit_root"
export PATH="$audit_root/bin:$PATH"
bash scripts/run_dependency_audit_suite.sh
dependency-audit:
name: dependency audit
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
fetch-depth: 0
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: stable
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Run dependency audit suite
run: |
audit_root="$RUNNER_TEMP/dependency-audit-tools"
cargo install --locked cargo-audit --version 0.22.1 --root "$audit_root"
cargo install --locked cargo-deny --version 0.19.0 --root "$audit_root"
export PATH="$audit_root/bin:$PATH"
bash scripts/run_dependency_audit_suite.sh
- name: Run lightweight regression smoke
run: |
cargo test -q --lib statement_spec_contract_is_synced_with_constants
smoke_targets=(assembly e2e interpreter runtime vanillastark_smoke)
for test_target in "${smoke_targets[@]}"; do
cargo test -q --test "$test_target"
done
rustup toolchain install nightly-2025-07-14 --profile minimal
stwo_smoke=stwo_backend::decoding::tests::phase28_aggregated_chained_folded_intervalized_state_relation_rejects_header_mismatch_before_nested_checks
cargo +nightly-2025-07-14 test -q \
--features stwo-backend \
--lib "$stwo_smoke" \
-- \
--exact
statement-spec:
name: statement spec contract
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: stable
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Validate statement spec constants contract
run: |
cargo test --quiet -- --list | grep -q "statement_spec_contract_is_synced_with_constants"
cargo test --quiet statement_spec_contract_is_synced_with_constants
cargo-test:
name: cargo nextest (${{ matrix.name }})
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: default
features: ""
needs_python: false
nextest_profile: ci
rust_toolchain: stable
- name: burn-model
features: "burn-model"
needs_python: false
nextest_profile: ci
rust_toolchain: stable
- name: onnx-export
features: "onnx-export"
needs_python: true
nextest_profile: ci
rust_toolchain: stable
- name: full
features: "full"
needs_python: true
nextest_profile: ci
rust_toolchain: stable
- name: full-stwo-backend
features: "full,stwo-backend"
needs_python: true
nextest_profile: ci-stwo
rust_toolchain: nightly-2025-07-14
- name: stwo-backend
features: "stwo-backend"
needs_python: false
nextest_profile: ci-stwo
rust_toolchain: nightly-2025-07-14
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: ${{ matrix.rust_toolchain }}
- name: Install Python
if: matrix.needs_python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
with:
python-version: "3.11"
- name: Install Python dependencies
if: matrix.needs_python
run: |
python -m pip install --upgrade pip
python -m pip install -r scripts/requirements.txt
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Install cargo-nextest
uses: taiki-e/install-action@80e6af7a2ec7f280fffe2d0a9d3a12a9d11d86e9
with:
tool: cargo-nextest@0.9.132
- name: Run cargo nextest
run: |
feature_args=()
if [ -n "${{ matrix.features }}" ]; then
feature_args+=(--features "${{ matrix.features }}")
fi
cargo nextest run \
--workspace \
--all-targets \
--profile ${{ matrix.nextest_profile }} \
--no-fail-fast \
"${feature_args[@]}"
- name: Run cargo doctests
run: |
feature_args=()
if [ -n "${{ matrix.features }}" ]; then
feature_args+=(--features "${{ matrix.features }}")
fi
cargo test --workspace --doc "${feature_args[@]}"
- name: Upload nextest junit report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
with:
name: nextest-junit-${{ matrix.name }}
path: target/nextest/${{ matrix.nextest_profile }}/junit.xml
if-no-files-found: error
milestone-1-proof:
name: export and validate ONNX workflow
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- name: Install Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
with:
python-version: "3.11"
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
python -m pip install -r scripts/requirements.txt
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Export ONNX from CLI
run: cargo run --features onnx-export --bin tvm -- export-onnx programs/fibonacci.tvm -o compiled/fibonacci
- name: Verify all engines from CLI
run: cargo run --features full --bin tvm -- run programs/fibonacci.tvm --verify-all
- name: Validate exported ONNX in Python
run: python scripts/validate_onnx.py compiled/fibonacci --program-name fibonacci --expected-acc 21 --expected-halted true
- name: Generate research v2 one-step semantic artifact
run: cargo run --features onnx-export --bin tvm -- research-v2-step programs/addition.tvm -o compiled/research-v2-addition-step.json --max-steps 1
- name: Generate research v2 prefix-trace semantic artifact
run: cargo run --features onnx-export --bin tvm -- research-v2-trace programs/addition.tvm -o compiled/research-v2-addition-trace.json --max-steps 8
- name: Generate research v2 matrix semantic artifact
run: cargo run --features onnx-export --bin tvm -- research-v2-matrix -o compiled/research-v2-matrix.json --program programs/addition.tvm --program programs/counter.tvm --max-steps 8
fuzz-smoke:
name: fuzz smoke (${{ matrix.target }})
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- target: phase12_decoding_manifest
corpus: fuzz/corpus/phase12_decoding_manifest
- target: phase14_decoding_manifest
corpus: fuzz/corpus/phase14_decoding_manifest
- target: phase12_shared_lookup_artifact
corpus: fuzz/corpus/phase12_shared_lookup_artifact
- target: phase29_recursive_compression_input_contract
corpus: fuzz/corpus/phase29_recursive_compression_input_contract
- target: phase30_decoding_step_proof_envelope_manifest
corpus: fuzz/corpus/phase30_decoding_step_proof_envelope_manifest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Read fuzz toolchain
id: fuzz-toolchain
run: |
channel="$(awk -F'\"' '/^channel = / { print $2 }' fuzz/rust-toolchain.toml)"
if [ -z "$channel" ]; then
echo "failed to read toolchain.channel from fuzz/rust-toolchain.toml" >&2
exit 1
fi
echo "channel=$channel" >> "$GITHUB_OUTPUT"
- name: Install Rust
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: ${{ steps.fuzz-toolchain.outputs.channel }}
- name: Restore Rust cache
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae
- name: Install cargo-fuzz
env:
FUZZ_TOOLCHAIN: ${{ steps.fuzz-toolchain.outputs.channel }}
run: cargo +"$FUZZ_TOOLCHAIN" install cargo-fuzz --version 0.13.1 --locked
- name: Install Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
with:
python-version: "3.11"
- name: Regenerate fuzz corpus
run: python3 scripts/fuzz/generate_decoding_fuzz_corpus.py
- name: Run fuzz smoke
env:
FUZZ_TOOLCHAIN: ${{ steps.fuzz-toolchain.outputs.channel }}
FUZZ_TARGET: ${{ matrix.target }}
FUZZ_CORPUS: ${{ matrix.corpus }}
run: cargo +"$FUZZ_TOOLCHAIN" fuzz run "$FUZZ_TARGET" "$FUZZ_CORPUS" -- -runs=32