mirror of
https://github.com/open-quantum-safe/liboqs.git
synced 2025-10-04 00:02:01 -04:00
2f02bf44e3
Duplicate jobs from the CircleCI workflow as closely as possible in GitHub Actions. Remove Ubuntu Bionic / i386 support in CI. --------- Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
350 lines
17 KiB
YAML
350 lines
17 KiB
YAML
name: Linux and MacOS tests
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on: [ push, pull_request ]
|
|
|
|
jobs:
|
|
|
|
stylecheck:
|
|
name: Check code formatting
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Ensure code conventions are upheld
|
|
run: python3 -m pytest --verbose tests/test_code_conventions.py
|
|
- name: Check that doxygen can parse the documentation
|
|
run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build
|
|
- name: Validate CBOM
|
|
run: scripts/validate_cbom.sh
|
|
|
|
upstreamcheck:
|
|
name: Check upstream code is properly integrated
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Verify copy_from_upstream state
|
|
run: |
|
|
git config --global user.name "ciuser" && \
|
|
git config --global user.email "ci@openquantumsafe.org" && \
|
|
export LIBOQS_DIR=`pwd` && \
|
|
git config --global --add safe.directory $LIBOQS_DIR && \
|
|
cd scripts/copy_from_upstream && \
|
|
! pip3 install --require-hashes -r requirements.txt 2>&1 | grep ERROR && \
|
|
python3 copy_from_upstream.py copy && \
|
|
! git status | grep modified
|
|
|
|
buildcheck:
|
|
name: Check that code passes a basic build before starting heavier tests
|
|
needs: [ stylecheck, upstreamcheck ]
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- arch: arm64
|
|
runner: oqs-arm64
|
|
- arch: x86_64
|
|
runner: ubuntu-latest
|
|
runs-on: ${{ matrix.runner }}
|
|
container: openquantumsafe/ci-ubuntu-focal-${{ matrix.arch }}:latest
|
|
env:
|
|
KEM_NAME: kyber_768
|
|
SIG_NAME: dilithium_3
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Configure
|
|
run: |
|
|
mkdir build && \
|
|
cd build && \
|
|
cmake .. --warn-uninitialized \
|
|
-GNinja \
|
|
-DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \
|
|
> config.log 2>&1 && \
|
|
cat config.log && \
|
|
cmake -LA -N .. && \
|
|
! (grep "uninitialized variable" config.log)
|
|
- name: Build code
|
|
run: ninja
|
|
working-directory: build
|
|
- name: Build documentation
|
|
run: ninja gen_docs
|
|
working-directory: build
|
|
if: matrix.arch == 'x86_64'
|
|
|
|
linux:
|
|
needs: buildcheck
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: arm64
|
|
runner: oqs-arm64
|
|
container: openquantumsafe/ci-ubuntu-focal-arm64:latest
|
|
PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py
|
|
CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON
|
|
- name: alpine
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-alpine-amd64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
- name: alpine-no-stfl-key-sig-gen
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-alpine-amd64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
- name: alpine-openssl-all
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-alpine-amd64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
- name: alpine-noopenssl
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-alpine-amd64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
- name: focal-nistr4-openssl
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_R4
|
|
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: focal-nistonramp-openssl
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_SIG_ONRAMP
|
|
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: focal-noopenssl
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF
|
|
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: focal-shared-noopenssl
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: focal-clang15
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang-15
|
|
PYTEST_ARGS: --ignore=tests/test_kat_all.py
|
|
- name: jammy-std-openssl3
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-jammy:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: jammy-std-openssl3-dlopen
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-jammy:latest
|
|
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON
|
|
PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
- name: address-sanitizer
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
|
|
- name: address-sanitizer-no-stfl-key-sig-gen
|
|
runner: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
|
|
runs-on: ${{ matrix.runner }}
|
|
container:
|
|
image: ${{ matrix.container }}
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Configure
|
|
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
|
|
- name: Build
|
|
run: ninja
|
|
working-directory: build
|
|
- name: Run tests
|
|
timeout-minutes: 60
|
|
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --numprocesses=auto ${{ matrix.PYTEST_ARGS }}
|
|
- name: Package .deb
|
|
if: matrix.name == 'jammy-std-openssl3'
|
|
run: cpack
|
|
working-directory: build
|
|
- name: Retain .deb file
|
|
if: matrix.name == 'jammy-std-openssl3'
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
|
|
with:
|
|
name: liboqs-openssl3-shared-x64
|
|
path: build/*.deb
|
|
- name: Check STD algorithm and alias
|
|
if: matrix.name == 'jammy-std-openssl3'
|
|
run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512-ipd:\n isnull: true"'
|
|
working-directory: build
|
|
|
|
linux_arm_emulated:
|
|
needs: buildcheck
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: armhf
|
|
ARCH: armhf
|
|
CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
- name: armhf-no-stfl-key-sig-gen
|
|
ARCH: armhf
|
|
CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
|
|
# no longer supporting armel
|
|
# - name: armel
|
|
# ARCH: armel
|
|
# CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Install the emulation handlers
|
|
run: docker run --rm --privileged multiarch/qemu-user-static:register --reset
|
|
- name: Build in an x86_64 container
|
|
run: |
|
|
docker run --rm \
|
|
-v `pwd`:`pwd` \
|
|
-w `pwd` \
|
|
openquantumsafe/ci-debian-buster-amd64:latest /bin/bash \
|
|
-c "mkdir build && \
|
|
(cd build && \
|
|
cmake .. -GNinja ${{ matrix.CMAKE_ARGS }} \
|
|
-DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_${{ matrix.ARCH }}.cmake && \
|
|
cmake -LA -N .. && \
|
|
ninja)"
|
|
- name: Run the tests in an ${{ matrix.ARCH }} container
|
|
timeout-minutes: 60
|
|
run: |
|
|
docker run --rm -e SKIP_TESTS=style,mem_kem,mem_sig \
|
|
-v `pwd`:`pwd` \
|
|
-w `pwd` \
|
|
openquantumsafe/ci-debian-buster-${{ matrix.ARCH }}:latest /bin/bash \
|
|
-c "mkdir -p tmp && \
|
|
python3 -m pytest --verbose \
|
|
--numprocesses=auto \
|
|
--ignore=tests/test_code_conventions.py ${{ matrix.PYTEST_ARGS }}"
|
|
|
|
linux_cross_compile:
|
|
needs: buildcheck
|
|
runs-on: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: windows-binaries
|
|
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake
|
|
- name: windows-dll
|
|
CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Configure
|
|
run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
|
|
- name: Build
|
|
run: ninja
|
|
working-directory: build
|
|
|
|
macos:
|
|
needs: buildcheck
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
# macos-14 runs on aarch64; the others run on x64
|
|
- macos-12
|
|
- macos-13
|
|
- macos-14
|
|
CMAKE_ARGS:
|
|
- -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
|
|
- -DCMAKE_C_COMPILER=gcc-13
|
|
- -DOQS_USE_OPENSSL=OFF
|
|
- -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- name: Install Python
|
|
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5
|
|
with:
|
|
python-version: '3.12'
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Install dependencies
|
|
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt
|
|
- name: Patch GCC
|
|
run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb
|
|
- name: Get system information
|
|
run: sysctl -a | grep machdep.cpu
|
|
- name: Configure
|
|
run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
|
|
- name: Build
|
|
run: ninja
|
|
working-directory: build
|
|
- name: Run tests
|
|
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py ${{ matrix.PYTEST_ARGS }}
|
|
timeout-minutes: 60
|
|
|
|
linux_openssl330-dev:
|
|
needs: buildcheck
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: openquantumsafe/ci-ubuntu-jammy:latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
- name: Retrieve OpenSSL330 from cache
|
|
id: cache-openssl330
|
|
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
|
|
with:
|
|
path: .localopenssl330
|
|
key: ${{ runner.os }}-openssl330
|
|
- name: Checkout the OpenSSL v3.3.0 commit
|
|
if: steps.cache-openssl330.outputs.cache-hit != 'true'
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
|
|
with:
|
|
repository: 'openssl/openssl'
|
|
ref: 'openssl-3.3.0-beta1'
|
|
path: openssl
|
|
- name: Prepare the OpenSSL build directory
|
|
if: steps.cache-openssl330.outputs.cache-hit != 'true'
|
|
run: mkdir .localopenssl330
|
|
working-directory: openssl
|
|
- name: Build openssl3 if not cached
|
|
if: steps.cache-openssl330.outputs.cache-hit != 'true'
|
|
run: |
|
|
./config --prefix=`pwd`/../.localopenssl330 && make -j 4 && make install_sw install_ssldirs
|
|
working-directory: openssl
|
|
- name: Save OpenSSL
|
|
id: cache-openssl-save
|
|
if: steps.cache-openssl330.outputs.cache-hit != 'true'
|
|
uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
|
|
with:
|
|
path: |
|
|
.localopenssl330
|
|
key: ${{ runner.os }}-openssl330
|
|
- name: Configure
|
|
run: mkdir build && cd build && cmake -GNinja -DOQS_STRICT_WARNINGS=ON -DOPENSSL_ROOT_DIR=../.localopenssl330 -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON .. && cmake -LA -N ..
|
|
- name: Build
|
|
run: ninja
|
|
working-directory: build
|
|
- name: Run tests
|
|
timeout-minutes: 60
|
|
run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
|
|
|
|
scan_build:
|
|
needs: buildcheck
|
|
runs-on: ubuntu-latest
|
|
container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
- name: Configure
|
|
run: mkdir build && cd build && scan-build-15 cmake -GNinja ..
|
|
- name: Build
|
|
run: scan-build-15 --status-bugs ninja
|
|
working-directory: build
|