From b1c8362fb6676d445a8d687db3e84ee61abf0896 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Mon, 14 Jul 2025 14:57:41 +0800 Subject: [PATCH 1/2] Add nix setup and compiler tests in CI Tests the following compilers: - GCC: 4.8, 4.9, 7, 11, 13, 14 - Clang: 18, 19, 20 Zig (0.12, 0.13, 0.14) are also added, but since they are currently failing, I disabled them for now. Signed-off-by: Matthias J. Kannwischer --- .github/actions/functest/action.yml | 40 ++++++++++ .github/actions/multi-functest/action.yml | 37 +++++++++ .github/workflows/all.yml | 8 ++ .github/workflows/ci.yml | 97 +++++++++++++++++++++++ flake.nix | 4 +- 5 files changed, 184 insertions(+), 2 deletions(-) create mode 100644 .github/actions/functest/action.yml create mode 100644 .github/actions/multi-functest/action.yml create mode 100644 .github/workflows/ci.yml diff --git a/.github/actions/functest/action.yml b/.github/actions/functest/action.yml new file mode 100644 index 0000000..a59ac0b --- /dev/null +++ b/.github/actions/functest/action.yml @@ -0,0 +1,40 @@ +# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + +name: Functional tests +description: Run functional tests + +inputs: + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci" + custom_shell: + description: The shell to use. Only relevant if no nix-shell specified + default: "bash" + nix-cache: + description: Determine whether to enable nix cache + default: 'false' + nix-verbose: + description: Determine wether to suppress nix log or not + default: 'false' + gh_token: + description: Github access token to use + required: true + cflags: + description: CFLAGS to pass to compilation + default: "" + +runs: + using: composite + steps: + - uses: ./.github/actions/setup-nix + with: + devShell: ${{ inputs.nix-shell }} + cache: ${{ inputs.nix-cache }} + verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} + - name: Functional tests + shell: ${{ env.SHELL }} + run: | + make clean + CFLAGS="${{ inputs.cflags }}" make test + diff --git a/.github/actions/multi-functest/action.yml b/.github/actions/multi-functest/action.yml new file mode 100644 index 0000000..8c7da29 --- /dev/null +++ b/.github/actions/multi-functest/action.yml @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + +name: Multiple Functional tests +description: Run functional tests + +inputs: + nix-shell: + description: Run in the specified Nix environment if exists + default: "ci" + custom_shell: + description: The shell to use. Only relevant if no nix-shell specified + default: "bash" + nix-cache: + description: Determine whether to enable nix cache + default: 'false' + nix-verbose: + description: Determine wether to suppress nix log or not + default: 'false' + gh_token: + description: Github access token to use + required: true + cflags: + description: CFLAGS to pass to compilation + default: "" + +runs: + using: composite + steps: + - name: Native Tests + uses: ./.github/actions/functest + with: + nix-shell: ${{ inputs.nix-shell }} + nix-cache: ${{ inputs.nix-cache }} + nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} + custom_shell: ${{ inputs.custom_shell }} + cflags: ${{ inputs.cflags }} \ No newline at end of file diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 2261828..7c3b255 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -28,6 +28,14 @@ jobs: id-token: 'write' uses: ./.github/workflows/nix.yml secrets: inherit + ci: + name: Extended + permissions: + contents: 'read' + id-token: 'write' + needs: [ base, nix ] + uses: ./.github/workflows/ci.yml + secrets: inherit cbmc: name: CBMC permissions: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..f642fa5 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,97 @@ +# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + +name: Extended +permissions: + contents: read +on: + workflow_call: + workflow_dispatch: + +jobs: + compiler_tests: + name: Compiler tests (${{ matrix.compiler.name }}, ${{ matrix.target.name }}, ${{ matrix.cflags }}) + strategy: + fail-fast: false + matrix: + cflags: [ "-Os", "-O3" ] + target: + - runner: pqcp-arm64 + name: 'aarch64' + archflags: '' + - runner: ubuntu-latest + name: 'x86_64' + archflags: '-mavx2 -mbmi2 -mpopcnt -maes' + - runner: macos-latest + name: 'macos' + archflags: '' + compiler: + - name: gcc-4.8 + shell: ci_gcc48 + darwin: False + - name: gcc-4.9 + shell: ci_gcc49 + darwin: False + - name: gcc-7 + shell: ci_gcc7 + darwin: False + - name: gcc-11 + shell: ci_gcc11 + darwin: True + - name: gcc-13 + shell: ci_gcc13 + darwin: True + - name: gcc-14 + shell: ci_gcc14 + darwin: True + - name: clang-18 + shell: ci_clang18 + darwin: True + - name: clang-19 + shell: ci_clang19 + darwin: True + - name: clang-20 + shell: ci_clang20 + darwin: True + # CPU flags are not correctly passed to the zig assembler + # https://github.com/ziglang/zig/issues/23576 + # We therefore only test the C backend + # + # We omit all examples since there is currently no way to run + # only those examples not involving native code. + # TODO: compiling with zig leads to test failures right now - needs to be revisited. + #- name: zig-0.12 + # shell: ci_zig0_12 + # darwin: True + #- name: zig-0.13 + # shell: ci_zig0_13 + # darwin: True + #- name: zig-0.14 + # shell: ci_zig0_14 + # darwin: True + exclude: + # Exclude old GCC versions from macOS and aarch64 runners + - target: { name: 'macos' } + compiler: { darwin: False } + - target: { name: 'aarch64' } + compiler: { darwin: False } + runs-on: ${{ matrix.target.runner }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: build+functest (default) + uses: ./.github/actions/multi-functest + with: + gh_token: ${{ secrets.GITHUB_TOKEN }} + nix-shell: ${{ matrix.compiler.shell }} + cflags: "${{ matrix.cflags }} ${{ matrix.target.archflags }}" + - name: native build+functest (C90) + uses: ./.github/actions/multi-functest + with: + gh_token: ${{ secrets.GITHUB_TOKEN }} + nix-shell: ${{ matrix.compiler.shell }} + cflags: "-std=c90 ${{ matrix.cflags }} ${{ matrix.target.archflags }}" + - name: native build+functest (C99) + uses: ./.github/actions/multi-functest + with: + gh_token: ${{ secrets.GITHUB_TOKEN }} + nix-shell: ${{ matrix.compiler.shell }} + cflags: "-std=c99 ${{ matrix.cflags }} ${{ matrix.target.archflags }}" diff --git a/flake.nix b/flake.nix index 1d1ba48..afe48c7 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT { - description = "mlkem-native"; + description = "slhdsa-c"; inputs = { nixpkgs-2405.url = "github:NixOS/nixpkgs/nixos-24.05"; @@ -58,7 +58,7 @@ packages.linters = util.linters; packages.cbmc = util.cbmc_pkgs; - + packages.toolchains = util.toolchains; packages.toolchains_native = util.toolchains_native; packages.toolchain_x86_64 = util.toolchain_x86_64; From af2fde9a19b0c66cb5ef8966079686451f95fba3 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 29 Jul 2025 10:09:33 +0800 Subject: [PATCH 2/2] set CODEOWNERS Signed-off-by: Matthias J. Kannwischer --- CODEOWNERS | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..3cd9876 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT +# Last matching pattern has precedence + +* @pq-code-package/pqcp-slhdsa-c-admin