name: Basic checks permissions: contents: read on: [workflow_call, workflow_dispatch] jobs: workflowcheck: name: Check validity of GitHub workflows runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Install actionlint run: | bash <(curl -sSL https://raw.githubusercontent.com/rhysd/actionlint/2ab3a12c7848f6c15faca9a92612ef4261d0e370/scripts/download-actionlint.bash) sudo mv ./actionlint /usr/local/bin/ - name: Ensure GitHub actions are valid run: actionlint -shellcheck "" # run *without* shellcheck stylecheck: name: Check code formatting needs: [workflowcheck] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Ensure code conventions are upheld run: python3 -m pytest --verbose tests/test_code_conventions.py - name: Check that doxygen can parse the documentation run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build - name: Validate CBOM run: scripts/validate_cbom.sh upstreamcheck: name: Check upstream code is properly integrated needs: [workflowcheck] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Configure run: | git config --global user.name "ciuser" && \ git config --global user.email "ci@openquantumsafe.org" && \ git config --global --add safe.directory "$PWD" && \ echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" - name: Verify copy_from_upstream state after copy working-directory: "scripts/copy_from_upstream" run: | python3 copy_from_upstream.py -d copy && \ git status --porcelain && \ test -z "$(git status --porcelain)" - name: Verify copy_from_upstream state after libjade working-directory: "scripts/copy_from_upstream" run: | python3 copy_from_upstream.py -d libjade && \ git status --porcelain && \ test -z "$(git status --porcelain)" buildcheck: name: Check that code passes a basic build needs: [workflowcheck, stylecheck, upstreamcheck] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest env: KEM_NAME: ml_kem_768 SIG_NAME: ml_dsa_65 steps: - name: Create random build folder run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Configure run: | cmake \ -B ${{ env.RANDOM_BUILD_DIR }} \ -GNinja \ -DOQS_STRICT_WARNINGS=ON \ -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ --warn-uninitialized . > config.log 2>&1 && \ cat config.log && \ cmake -LA -N . && \ ! (grep -i "uninitialized variable" config.log) - name: Build code run: ninja working-directory: ${{ env.RANDOM_BUILD_DIR }} - name: Build documentation run: ninja gen_docs working-directory: ${{ env.RANDOM_BUILD_DIR }} cppcheck: name: Check C++ linking with example program needs: [workflowcheck] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest env: SIG_NAME: ml_dsa_44 steps: - name: Create random build folder run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Configure run: | cmake \ -B ${{ env.RANDOM_BUILD_DIR }} \ -GNinja \ -DOQS_STRICT_WARNINGS=ON \ -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \ --warn-uninitialized . > config.log 2>&1 && \ cat config.log && \ cmake -LA -N . && \ ! (grep -i "uninitialized variable" config.log) - name: Build liboqs run: ninja working-directory: ${{ env.RANDOM_BUILD_DIR }} - name: Link with C++ program run: | g++ "$GITHUB_WORKSPACE"/cpp/sig_linking_test.cpp -g \ -I./include -L./lib -loqs -lcrypto -std=c++11 -o example_sig && \ ./example_sig working-directory: ${{ env.RANDOM_BUILD_DIR }} fuzzbuildcheck: name: Check that code passes a basic fuzzing build needs: [workflowcheck, stylecheck, upstreamcheck] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest env: SIG_NAME: ml_dsa_44 CC: clang CXX: clang++ CFLAGS: -fsanitize=fuzzer-no-link,address LDFLAGS: -fsanitize=address steps: - name: Create random build folder run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Configure run: | cmake \ -B ${{ env.RANDOM_BUILD_DIR }} \ -GNinja \ -DOQS_STRICT_WARNINGS=ON \ -DOQS_BUILD_FUZZ_TESTS=ON \ -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \ --warn-uninitialized . > config.log 2>&1 && \ cat config.log && \ cmake -LA -N . && \ ! (grep -i "uninitialized variable" config.log) - name: Build code run: ninja fuzz_test_sig working-directory: ${{ env.RANDOM_BUILD_DIR }} - name: Short fuzz check (30s) run: ./tests/fuzz_test_sig -max_total_time=30 working-directory: ${{ env.RANDOM_BUILD_DIR }} nixflakecheck: name: Check that Nix flake has correct syntax and can build needs: [workflowcheck] runs-on: ubuntu-latest steps: - uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19 - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Check devShell run: nix develop --command echo - name: Check flake syntax run: nix flake check --no-build # check for accurate syntax - name: Check that the flake builds run: nix build # check that the build runs