ci: bump actions/checkout from 6.0.2 to 6.0.3 #292
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Cross-Implementation Verification | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # All upstream repositories are pinned to explicit commit SHAs so that a | |
| # change (or compromise) upstream cannot silently alter what "verification | |
| # passed" means, and so PR results are reproducible. Bump procedure: | |
| # CONTRIBUTING.md "Updating pinned verification upstreams". | |
| # | |
| # GO_QRLLIB_DILITHIUM5_PIN is permanently historical: upstream go-qrllib | |
| # removed crypto/dilithium in v0.9.0 (1ae1760, PR #109, 2026-06-10). | |
| # b2ee4790 = v0.8.0, the last release containing it; this leg verifies | |
| # interop with the frozen legacy implementation. The mldsa87 go-qrllib leg | |
| # tracks a current pin and should be bumped routinely. | |
| # | |
| # The env pins below govern the CLONES (used by the Go→JS sign directions). | |
| # The JS→Go *verify* directions resolve go-qrllib through per-algorithm Go | |
| # modules instead: .github/cross-verify/mldsa87-go/go.mod (routinely bumped, | |
| # keep on the same release as GO_QRLLIB_MLDSA87_PIN) and | |
| # .github/cross-verify/dilithium5-go/go.mod (frozen pseudo-version). Those | |
| # go.mod requirements are pins too — bump/freeze them per CONTRIBUTING.md. | |
| env: | |
| GO_QRLLIB_DILITHIUM5_PIN: b2ee4790ef041104d2a48ae87cf68c0de621c89e # v0.8.0 (2026-06-08), last release with crypto/dilithium | |
| GO_QRLLIB_MLDSA87_PIN: 6f9978367906233874b406bd5d55b0e8b8d01d9c # v0.9.0 (2026-06-10) | |
| PQCRYSTALS_DILITHIUM5_PIN: ac743d588c6532aed027ccb1e7a24bfe6e35a120 # Round 3 (pre-FIPS) reference | |
| PQCRYSTALS_MLDSA87_PIN: d35ba3fe5449bee3e6d43e1f296c3ca818bd36be # 2026-06-03, FIPS 204 reference | |
| jobs: | |
| dilithium5-cross-verify: | |
| name: Dilithium5 Cross-Verification (qrypto.js ↔ go-qrllib) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout qrypto.js | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '22.x' | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Install qrypto.js dependencies | |
| run: npm ci | |
| - name: Clone go-qrllib (pinned) | |
| run: | | |
| git clone https://github.com/theQRL/go-qrllib.git /tmp/go-qrllib | |
| git -C /tmp/go-qrllib checkout "$GO_QRLLIB_DILITHIUM5_PIN" | |
| echo "go-qrllib commit: $(git -C /tmp/go-qrllib rev-parse --short HEAD)" | |
| - name: Generate qrypto.js Dilithium5 signature | |
| run: node .github/cross-verify/dilithium5_sign.js | |
| - name: Verify qrypto.js signature with go-qrllib (frozen module pin) | |
| run: | | |
| echo "=== Verifying qrypto.js signature with go-qrllib ===" | |
| cd .github/cross-verify/dilithium5-go && go run dilithium5_verify.go | |
| echo "✓ qrypto.js → go-qrllib: PASSED" | |
| - name: Generate go-qrllib Dilithium5 signature | |
| run: | | |
| cd /tmp/go-qrllib | |
| go run "$GITHUB_WORKSPACE/.github/cross-verify/dilithium5_sign_goqrllib.go" | |
| - name: Verify go-qrllib signature with qrypto.js | |
| run: | | |
| echo "=== Verifying go-qrllib signature with qrypto.js ===" | |
| node .github/cross-verify/dilithium5_verify.js | |
| echo "✓ go-qrllib → qrypto.js: PASSED" | |
| mldsa87-cross-verify: | |
| name: ML-DSA-87 Cross-Verification (qrypto.js ↔ go-qrllib) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout qrypto.js | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '22.x' | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Install qrypto.js dependencies | |
| run: npm ci | |
| - name: Clone go-qrllib (pinned) | |
| run: | | |
| git clone https://github.com/theQRL/go-qrllib.git /tmp/go-qrllib | |
| git -C /tmp/go-qrllib checkout "$GO_QRLLIB_MLDSA87_PIN" | |
| echo "go-qrllib commit: $(git -C /tmp/go-qrllib rev-parse --short HEAD)" | |
| - name: Generate qrypto.js ML-DSA-87 signature | |
| run: node .github/cross-verify/mldsa87_sign.js | |
| - name: Verify qrypto.js signature with go-qrllib (current release pin) | |
| run: | | |
| echo "=== Verifying qrypto.js ML-DSA-87 signature with go-qrllib ===" | |
| cd .github/cross-verify/mldsa87-go && go run mldsa87_verify.go | |
| echo "✓ qrypto.js → go-qrllib: PASSED" | |
| - name: Generate go-qrllib ML-DSA-87 signature | |
| run: | | |
| cd /tmp/go-qrllib | |
| go run "$GITHUB_WORKSPACE/.github/cross-verify/mldsa87_sign_goqrllib.go" | |
| - name: Verify go-qrllib signature with qrypto.js | |
| run: | | |
| echo "=== Verifying go-qrllib ML-DSA-87 signature with qrypto.js ===" | |
| node .github/cross-verify/mldsa87_verify.js | |
| echo "✓ go-qrllib → qrypto.js: PASSED" | |
| dilithium5-pqcrystals: | |
| name: Dilithium5 Cross-Verification (qrypto.js ↔ pq-crystals) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout qrypto.js | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '22.x' | |
| - name: Install qrypto.js dependencies | |
| run: npm ci | |
| - name: Clone pq-crystals Dilithium (pinned, Round 3) | |
| run: | | |
| git clone https://github.com/pq-crystals/dilithium.git /tmp/dilithium-ref | |
| git -C /tmp/dilithium-ref checkout "$PQCRYSTALS_DILITHIUM5_PIN" | |
| echo "Reference commit: $(git -C /tmp/dilithium-ref rev-parse --short HEAD)" | |
| - name: Generate qrypto.js Dilithium5 signature | |
| run: node .github/cross-verify/dilithium5_sign.js | |
| - name: Compile pq-crystals reference verifier | |
| run: | | |
| cd /tmp/dilithium-ref/ref | |
| gcc -o /tmp/verify_dilithium5 -DDILITHIUM_MODE=5 \ | |
| "$GITHUB_WORKSPACE/.github/cross-verify/dilithium5_verify_ref.c" \ | |
| sign.c packing.c polyvec.c poly.c ntt.c reduce.c \ | |
| rounding.c symmetric-shake.c fips202.c randombytes.c -I. -O2 | |
| - name: Verify qrypto.js signature with pq-crystals reference | |
| run: | | |
| echo "=== Verifying qrypto.js Dilithium5 signature with pq-crystals reference ===" | |
| /tmp/verify_dilithium5 | |
| echo "✓ qrypto.js → pq-crystals: PASSED" | |
| - name: Compile pq-crystals reference signer | |
| run: | | |
| cd /tmp/dilithium-ref/ref | |
| gcc -o /tmp/sign_dilithium5_ref -DDILITHIUM_MODE=5 \ | |
| "$GITHUB_WORKSPACE/.github/cross-verify/dilithium5_sign_ref.c" \ | |
| sign.c packing.c polyvec.c poly.c ntt.c reduce.c \ | |
| rounding.c symmetric-shake.c fips202.c randombytes.c -I. -O2 | |
| - name: Generate pq-crystals reference signature | |
| run: /tmp/sign_dilithium5_ref | |
| - name: Verify pq-crystals signature with qrypto.js | |
| run: | | |
| echo "=== Verifying pq-crystals Dilithium5 signature with qrypto.js ===" | |
| node .github/cross-verify/dilithium5_verify_pqcrystals.js | |
| echo "✓ pq-crystals → qrypto.js: PASSED" | |
| mldsa87-pqcrystals: | |
| name: ML-DSA-87 Cross-Verification (qrypto.js ↔ pq-crystals) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout qrypto.js | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '22.x' | |
| - name: Install qrypto.js dependencies | |
| run: npm ci | |
| - name: Clone pq-crystals Dilithium (pinned, FIPS 204 / ML-DSA) | |
| run: | | |
| git clone https://github.com/pq-crystals/dilithium.git /tmp/mldsa-ref | |
| git -C /tmp/mldsa-ref checkout "$PQCRYSTALS_MLDSA87_PIN" | |
| echo "Reference commit: $(git -C /tmp/mldsa-ref rev-parse --short HEAD)" | |
| - name: Generate qrypto.js ML-DSA-87 signature | |
| run: node .github/cross-verify/mldsa87_sign.js | |
| - name: Compile pq-crystals reference verifier | |
| run: | | |
| cd /tmp/mldsa-ref/ref | |
| gcc -o /tmp/verify_mldsa87 -DDILITHIUM_MODE=5 \ | |
| "$GITHUB_WORKSPACE/.github/cross-verify/mldsa87_verify_ref.c" \ | |
| sign.c packing.c polyvec.c poly.c ntt.c reduce.c \ | |
| rounding.c symmetric-shake.c fips202.c randombytes.c -I. -O2 | |
| - name: Verify qrypto.js signature with pq-crystals reference | |
| run: | | |
| echo "=== Verifying qrypto.js ML-DSA-87 signature with pq-crystals reference ===" | |
| /tmp/verify_mldsa87 | |
| echo "✓ qrypto.js → pq-crystals: PASSED" | |
| - name: Compile pq-crystals reference signer | |
| run: | | |
| cd /tmp/mldsa-ref/ref | |
| gcc -o /tmp/sign_mldsa87_ref -DDILITHIUM_MODE=5 \ | |
| "$GITHUB_WORKSPACE/.github/cross-verify/mldsa87_sign_ref.c" \ | |
| sign.c packing.c polyvec.c poly.c ntt.c reduce.c \ | |
| rounding.c symmetric-shake.c fips202.c randombytes.c -I. -O2 | |
| - name: Generate pq-crystals reference signature | |
| run: /tmp/sign_mldsa87_ref | |
| - name: Verify pq-crystals signature with qrypto.js | |
| run: | | |
| echo "=== Verifying pq-crystals ML-DSA-87 signature with qrypto.js ===" | |
| node .github/cross-verify/mldsa87_verify_pqcrystals.js | |
| echo "✓ pq-crystals → qrypto.js: PASSED" |