Skip to content
CI

build(deps): bump actions/cache from 4 to 5 #105

Sign in to view logs

build(deps): bump actions/cache from 4 to 5

build(deps): bump actions/cache from 4 to 5 #105

Workflow file for this run

.github/workflows/ci.yml at 5590b68
name: CI
on:
push:
pull_request:
permissions:
contents: read
jobs:
build-test:
name: Build + unit tests (${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Restore
run: dotnet restore PostQuantum.FileFormat.sln
- name: Build
run: dotnet build PostQuantum.FileFormat.sln --no-restore -c Release
- name: Test
run: dotnet test PostQuantum.FileFormat.sln --no-build -c Release --verbosity normal
smoke:
name: Smoke test (${{ matrix.os }})
needs: build-test
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Build
run: dotnet build PostQuantum.FileFormat.sln -c Release --nologo -v minimal
- name: Smoke test (in-tree CLI roundtrip)
run: bash scripts/smoke.sh
smoke-windows:
name: Smoke test (windows-latest)
needs: build-test
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Build
run: dotnet build PostQuantum.FileFormat.sln -c Release --nologo -v minimal
- name: Smoke test (in-tree CLI roundtrip, PowerShell)
shell: pwsh
run: ./scripts/smoke.ps1
packed-tool-roundtrip:
name: Packed tool roundtrip (.NET 10 / ${{ matrix.os }})
needs: build-test
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- name: Checkout
uses: actions/checkout@v4
# The library + CLI target net10.0 only since 0.6.0-preview.2. Before
# that release this job ran a roll-forward matrix across .NET 8, 9, 10
# to prove <RollForward>Major</RollForward> let a net8.0 build execute
# on newer runtimes. That mechanism is no longer relevant — there is no
# newer runtime to roll forward to from net10.0 — so the job now just
# verifies the packed `dotnet tool` installs and roundtrips a real file
# end-to-end on the .NET 10 runtime, across all three OSes.
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Pack CLI
shell: bash
run: |
dotnet pack cli/PostQuantum.FileFormat.Cli/PostQuantum.FileFormat.Cli.csproj \
-c Release \
-o "${{ runner.temp }}/nupkgs"
- name: Install pqf as a local tool from the freshly packed nupkg
shell: bash
working-directory: ${{ runner.temp }}
run: |
mkdir tool-test && cd tool-test
dotnet new tool-manifest
dotnet tool install PostQuantum.FileFormat.Cli \
--add-source "${{ runner.temp }}/nupkgs" \
--prerelease
- name: pqf --help (must run on .NET 10)
shell: bash
working-directory: ${{ runner.temp }}/tool-test
run: dotnet tool run pqf -- --help
- name: Roundtrip on .NET 10 (POSIX)
if: matrix.os != 'windows-latest'
shell: bash
working-directory: ${{ runner.temp }}/tool-test
run: |
set -euo pipefail
dotnet tool run pqf -- keygen --type encrypt --public-out enc.pub --private-out enc.key
dotnet tool run pqf -- keygen --type sign --public-out sig.pub --private-out sig.key
head -c 100000 /dev/urandom > sample.bin
dotnet tool run pqf -- encrypt --in sample.bin --out sample.pqf \
--recipient enc.pub --signing-key sig.key
dotnet tool run pqf -- decrypt --in sample.pqf --out sample.out.bin \
--identity enc.key --mode authenticated
diff -q sample.bin sample.out.bin
echo "roundtrip OK on .NET 10 / ${{ matrix.os }}"
- name: Roundtrip on .NET 10 (Windows)
if: matrix.os == 'windows-latest'
shell: pwsh
working-directory: ${{ runner.temp }}/tool-test
run: |
$ErrorActionPreference = 'Stop'
dotnet tool run pqf -- keygen --type encrypt --public-out enc.pub --private-out enc.key
dotnet tool run pqf -- keygen --type sign --public-out sig.pub --private-out sig.key
$bytes = New-Object byte[] 100000
[System.Security.Cryptography.RandomNumberGenerator]::Fill($bytes)
[System.IO.File]::WriteAllBytes("sample.bin", $bytes)
dotnet tool run pqf -- encrypt --in sample.bin --out sample.pqf `
--recipient enc.pub --signing-key sig.key
dotnet tool run pqf -- decrypt --in sample.pqf --out sample.out.bin `
--identity enc.key --mode authenticated
$hashIn = (Get-FileHash sample.bin -Algorithm SHA256).Hash
$hashOut = (Get-FileHash sample.out.bin -Algorithm SHA256).Hash
if ($hashIn -ne $hashOut) { throw "roundtrip mismatch: $hashIn != $hashOut" }
Write-Host "roundtrip OK on .NET 10 / windows-latest"
rust-conformance:
name: Cross-impl conformance (Rust reader vs .NET vectors)
needs: build-test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust (stable, minimal profile)
uses: dtolnay/rust-toolchain@stable
- name: Cache Cargo registry & target
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
~/.cargo/git
impl/rust/pqf-reader/target
key: ${{ runner.os }}-rust-pqf-reader-${{ hashFiles('impl/rust/pqf-reader/Cargo.toml') }}
- name: Build pqf-conformance
working-directory: impl/rust/pqf-reader
run: cargo build --release --bin pqf-conformance
- name: Run cross-implementation conformance
working-directory: impl/rust/pqf-reader
run: cargo run --release --bin pqf-conformance
reproducible-vectors:
name: Reproducible test vectors
needs: build-test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Restore
run: dotnet restore PostQuantum.FileFormat.sln
- name: Build
run: dotnet build PostQuantum.FileFormat.sln --no-restore -c Release
- name: Regenerate test vectors from seeded inputs
# TestVectors is a console app that writes test-vectors/v1/cases/*.pqf
# and v1/manifest.json from seeded RNG. We diff the regenerated bytes
# against the committed bytes to catch non-determinism in the wire
# encoder.
run: |
dotnet run --project tests/PostQuantum.FileFormat.TestVectors \
--no-build -c Release
- name: Diff all vectors against committed bytes
# Signed vectors regenerate byte-deterministically because the writer
# threads FIPS 204 deterministic signing through HybridSigner when
# deterministicSigning=true is set (TestVectors does that). Ed25519
# is deterministic by RFC 8032. The cross-impl Rust gate continues
# to validate the same vectors end-to-end via a separate reader.
run: |
git diff --exit-code test-vectors/v1/ \
|| (echo "::error::Regenerated test vectors differ from committed bytes" && exit 1)
echo "All test vectors are byte-deterministic."
fuzz-short:
name: Fuzz (short, smoke)
needs: build-test
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Restore
run: |
if [ -f tests/PostQuantum.FileFormat.Fuzz/PostQuantum.FileFormat.Fuzz.csproj ]; then
dotnet restore tests/PostQuantum.FileFormat.Fuzz/PostQuantum.FileFormat.Fuzz.csproj
else
echo "Fuzz project not present; skipping."
exit 0
fi
- name: Smoke-fuzz the header parser for 60 seconds
run: |
if [ -f tests/PostQuantum.FileFormat.Fuzz/PostQuantum.FileFormat.Fuzz.csproj ]; then
dotnet run --project tests/PostQuantum.FileFormat.Fuzz \
-c Release -- --time 60 --target header
fi