wolfCOSE/.github/workflows/coverage.yml at main · wolfSSL/wolfCOSE · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Code Coverage

on:
  push:
    branches: [ 'main', 'release/**' ]
  pull_request:
    branches: [ '*' ]
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  coverage:
    name: Line Coverage
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y autoconf automake libtool lcov

    - name: Resolve wolfSSL master commit
      id: wolfssl-rev
      run: echo "sha=$(git ls-remote https://github.com/wolfSSL/wolfssl.git HEAD | cut -f1)" >> "$GITHUB_OUTPUT"
    - name: Cache wolfSSL
      id: cache-wolfssl
      uses: actions/cache@v4
      with:
        path: ~/wolfssl-install
        key: wolfssl-ubuntu-latest-v3-${{ steps.wolfssl-rev.outputs.sha }}

    - name: Build wolfSSL
      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
      run: |
        cd ~
        git clone --depth 1 https://github.com/wolfSSL/wolfssl.git
        cd wolfssl
        ./autogen.sh
        # Coverage thresholds (99%/100%) require the ML-DSA paths compiled in,
        # so build against master with the PQC/experimental wc_MlDsaKey API.
        ./configure --enable-ecc --enable-ed25519 --enable-ed448 \
                    --enable-curve25519 --enable-aesgcm --enable-aesccm \
                    --enable-sha384 --enable-sha512 --enable-keygen \
                    --enable-rsapss --enable-chacha --enable-poly1305 \
                    --enable-mldsa \
                    --enable-hkdf --enable-aeskeywrap \
                    --enable-aescbc \
                    --prefix=$HOME/wolfssl-install
        make -j$(nproc)
        make install

    - name: Run coverage with failure injection
      run: |
        export WOLFSSL_DIR=$HOME/wolfssl-install
        export LD_LIBRARY_PATH=$WOLFSSL_DIR/lib
        make coverage-force-failure CC=gcc \
          CFLAGS="-std=c99 -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -I./include -isystem $WOLFSSL_DIR/include" \
          LDFLAGS="-L$WOLFSSL_DIR/lib -lwolfssl"

    - name: Check coverage thresholds
      run: |
        echo "=============================================="
        echo "         wolfCOSE Coverage Report"
        echo "=============================================="
        echo ""

        # Coverage thresholds:
        #   wolfcose.c:      99% minimum
        #   wolfcose_cbor.c: 100% minimum

        FAILED=0

        # Run gcov and capture output
        GCOV_OUTPUT=$(gcov src/*.c 2>&1)
        echo "$GCOV_OUTPUT"
        echo ""

        # Parse wolfcose.c coverage from gcov output
        COSE_PCT=$(echo "$GCOV_OUTPUT" | grep -A1 "wolfcose.c'" | grep "Lines executed" | sed "s/.*:\([0-9.]*\)%.*/\1/")
        COSE_UNCOV=$(grep -c "#####" wolfcose.c.gcov 2>/dev/null || echo "0")

        if [ -n "$COSE_PCT" ]; then
          echo "wolfcose.c:"
          echo "  Coverage: ${COSE_PCT}%"
          echo "  Threshold: 99%"
          echo "  Uncovered lines: ${COSE_UNCOV}"
          echo ""

          # Compare using awk (handles decimals)
          if awk "BEGIN {exit !($COSE_PCT < 99)}"; then
            FAILED=1
            echo ">>> FAILED: wolfcose.c coverage is below 99%! <<<"
            echo ""
            echo "Uncovered lines in wolfcose.c:"
            echo "------------------------------"
            grep -n "#####" wolfcose.c.gcov | head -50
            echo ""
          else
            echo ">>> PASSED: wolfcose.c meets 99% threshold <<<"
          fi
          echo ""
        fi

        # Parse wolfcose_cbor.c coverage from gcov output
        CBOR_PCT=$(echo "$GCOV_OUTPUT" | grep -A1 "wolfcose_cbor.c'" | grep "Lines executed" | sed "s/.*:\([0-9.]*\)%.*/\1/")
        CBOR_UNCOV=$(grep -c "#####" wolfcose_cbor.c.gcov 2>/dev/null || echo "0")

        if [ -n "$CBOR_PCT" ]; then
          echo "wolfcose_cbor.c:"
          echo "  Coverage: ${CBOR_PCT}%"
          echo "  Threshold: 100%"
          echo "  Uncovered lines: ${CBOR_UNCOV}"
          echo ""

          # Compare using awk (handles decimals)
          if awk "BEGIN {exit !($CBOR_PCT < 100)}"; then
            FAILED=1
            echo ">>> FAILED: wolfcose_cbor.c coverage is below 100%! <<<"
            echo ""
            echo "Uncovered lines in wolfcose_cbor.c:"
            echo "-----------------------------------"
            grep -n "#####" wolfcose_cbor.c.gcov
            echo ""
          else
            echo ">>> PASSED: wolfcose_cbor.c meets 100% threshold <<<"
          fi
          echo ""
        fi

        echo "=============================================="

        if [ "$FAILED" -eq 1 ]; then
          echo ""
          echo "  Looks like you need more tests!"
          echo ""
          echo "  Add tests to tests/test_cose.c to cover the"
          echo "  uncovered lines shown above."
          echo ""
          echo "=============================================="
          exit 1
        fi

        echo "  All coverage thresholds passed!"
        echo "=============================================="