-
Notifications
You must be signed in to change notification settings - Fork 0
274 lines (255 loc) · 8.52 KB
/
Copy pathweekly.yaml
File metadata and controls
274 lines (255 loc) · 8.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
name: Weekly
on:
schedule:
- cron: "0 3 * * 0"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
RSCRYPTO_TEST_MODE: weekly
CARGO_INCREMENTAL: 0
permissions:
contents: read
jobs:
# ─── Full CI suite: all platforms, deep cross-compile sweep, full supply chain. ──
suite:
name: CI Suite (weekly)
uses: ./.github/workflows/_ci-suite.yaml
with:
scope: all
cache_key_prefix: weekly
supply_chain_mode: full
cross_depth: deep
test_mode: weekly
# ─── Executable feature-matrix sweep (26 combinations). ──
feature-matrix:
name: Feature Matrix (${{ matrix.target.name }})
strategy:
fail-fast: false
matrix:
target:
- name: x86_64
runner: runs-on=${{ github.run_id }}/runner=linux-x64-ci
- name: aarch64
runner: runs-on=${{ github.run_id }}/runner=linux-arm64-ci
uses: ./.github/workflows/_rust-job.yaml
with:
runner: ${{ matrix.target.runner }}
timeout_minutes: 60
cache_key: weekly-feature-matrix-${{ matrix.target.name }}
tools_mode: minimal
enable_magic_cache: true
enable_rust_cache: true
run_script: just test-feature-matrix
# ─── Miri memory-safety (stacked borrows). ──
miri:
name: Miri (${{ matrix.target.name }})
strategy:
fail-fast: false
matrix:
target:
- name: x86_64
runner: runs-on=${{ github.run_id }}/runner=linux-x64-ci
- name: aarch64
runner: runs-on=${{ github.run_id }}/runner=linux-arm64-ci
uses: ./.github/workflows/_rust-job.yaml
with:
runner: ${{ matrix.target.runner }}
timeout_minutes: 60
cache_key: weekly-miri-${{ matrix.target.name }}
tools_mode: minimal
toolchain_components: "miri, rust-src"
enable_magic_cache: true
enable_rust_cache: true
run_script: just test-miri
# ─── Miri memory-safety (tree borrows). ──
miri-tree-borrows:
name: Miri (Tree Borrows)
uses: ./.github/workflows/_rust-job.yaml
with:
runner: runs-on=${{ github.run_id }}/runner=linux-x64-ci
timeout_minutes: 60
cache_key: weekly-miri-tree-borrows
tools_mode: minimal
toolchain_components: "miri, rust-src"
enable_magic_cache: true
enable_rust_cache: true
run_script: |
export MIRIFLAGS="-Zmiri-tree-borrows"
just test-miri
# ─── Fuzzing (libFuzzer full + scoped packages). ──
fuzzing:
name: Fuzzing (${{ matrix.target.name }})
strategy:
fail-fast: false
matrix:
target:
- name: x86_64
runner: runs-on=${{ github.run_id }}/runner=linux-x64-ci
- name: aarch64
runner: runs-on=${{ github.run_id }}/runner=linux-arm64-ci
uses: ./.github/workflows/_rust-job.yaml
with:
runner: ${{ matrix.target.runner }}
timeout_minutes: 120
cache_key: weekly-fuzz-${{ matrix.target.name }}
tools_mode: fuzz
enable_magic_cache: true
enable_rust_cache: true
pre_script: |
echo "RSCRYPTO_FUZZ_DURATION_SECS=60" >> "$GITHUB_ENV"
run_script: |
just test-fuzz --all
rm -rf fuzz-output
mkdir -p fuzz-output
mapfile -t corpus_dirs < <(
{
[ -d fuzz/corpus ] && printf '%s\n' fuzz/corpus
find fuzz-packages -mindepth 2 -maxdepth 2 -type d -name corpus
} | sort
)
if [ "${#corpus_dirs[@]}" -eq 0 ]; then
tar -czf fuzz-output/corpus.tar.gz --files-from /dev/null
else
tar -czf fuzz-output/corpus.tar.gz "${corpus_dirs[@]}"
fi
artifact_name: fuzz-output-weekly-${{ matrix.target.name }}
artifact_path: |
fuzz-output/corpus.tar.gz
fuzz/artifacts/
fuzz-packages/*/artifacts/
artifact_always: false
# --- Native ML-KEM promotion gate on the physical AWS targets. ---
mlkem-graviton:
name: ML-KEM Graviton Gate (${{ matrix.display_name }})
strategy:
fail-fast: false
matrix:
include:
- platform: graviton3
display_name: AWS Graviton3
- platform: graviton4
display_name: AWS Graviton4
uses: ./.github/workflows/_rust-job.yaml
with:
runner: runs-on=${{ github.run_id }}/runner=${{ matrix.platform }}
timeout_minutes: 180
cache_key: ""
tools_mode: minimal
toolchain_components: "clippy, rustfmt, rust-src"
# Benchmark evidence should be a clean native build on the exact host.
enable_magic_cache: false
enable_rust_cache: false
pre_script: |
echo "ML-KEM gate host: ${{ matrix.display_name }} (${{ matrix.platform }})"
uname -a
lscpu
sed -n '1,80p' /proc/cpuinfo
run_script: |
MLKEM_AARCH64_GATE_PLATFORM="${{ matrix.platform }}" \
bash scripts/ci/mlkem-aarch64-gate.sh
artifact_name: mlkem-aarch64-gate-${{ matrix.platform }}
artifact_path: mlkem-aarch64-gate/
artifact_always: true
# ─── Constant-time evidence on benchmark-published physical lanes. ──
ct:
name: Constant-Time Evidence (weekly)
uses: ./.github/workflows/ct.yaml
with:
platforms: all
dudect_timeout: "1800"
binsec_timeout: "900"
upload_raw_artifacts: false
# ─── Coverage (nextest + fuzz corpus → codecov). ──
coverage:
name: Coverage
needs: [suite, fuzzing]
runs-on: runs-on=${{ github.run_id }}/runner=linux-x64-ci
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
- name: Setup
uses: ./.github/actions/setup
with:
cache-key: weekly-coverage
tools-mode: coverage
toolchain-components: "rust-src"
enable-magic-cache: "true"
enable-rust-cache: "true"
- name: Download fuzz corpus artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: fuzz-output-weekly-*
path: fuzz-output-artifacts
- name: Restore fuzz corpora
shell: bash
run: |
shopt -s nullglob
archives=(fuzz-output-artifacts/*/fuzz-output/corpus.tar.gz)
if [ "${#archives[@]}" -eq 0 ]; then
echo "No fuzz corpus archives found"
exit 0
fi
for archive in "${archives[@]}"; do
echo "Extracting $archive"
tar -xzf "$archive"
done
- name: Total Coverage (nextest + fuzz corpus replay)
run: just test-coverage
- name: Upload to Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: coverage/total.lcov
flags: total
name: total
fail_ci_if_error: true
- name: Upload Coverage Artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: coverage-reports
path: |
coverage/total.lcov
coverage/SUMMARY.md
retention-days: 90
if-no-files-found: warn
# ─── Gate: every required lane must pass. ──
complete:
name: Complete (weekly)
needs: [suite, feature-matrix, miri, miri-tree-borrows, fuzzing, mlkem-graviton, ct, coverage]
if: always()
runs-on: ubuntu-latest
steps:
- name: Assert all lanes passed
run: |
failed=0
for lane in \
"suite=${{ needs.suite.result }}" \
"feature-matrix=${{ needs.feature-matrix.result }}" \
"miri=${{ needs.miri.result }}" \
"miri-tree-borrows=${{ needs.miri-tree-borrows.result }}" \
"fuzzing=${{ needs.fuzzing.result }}" \
"mlkem-graviton=${{ needs.mlkem-graviton.result }}" \
"ct=${{ needs.ct.result }}" \
"coverage=${{ needs.coverage.result }}"
do
name="${lane%%=*}"
result="${lane#*=}"
if [ "$result" != "success" ]; then
echo "FAIL: $name ($result)"
failed=1
else
echo " OK: $name"
fi
done
if [ "$failed" -eq 1 ]; then
echo ""
echo "One or more required lanes failed."
exit 1
fi