pq-code-package · jakemas · Feb 14, 2025 · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# clang-format style file for mlkem-native
+#
+BasedOnStyle: Google
+MaxEmptyLinesToKeep: 3
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+DerivePointerAlignment: false
+PointerAlignment: Right
+# TODO(davidben): The default for Google style is now Regroup, but the default
+# IncludeCategories does not recognize <openssl/header.h>. We should
+# reconfigure IncludeCategories to match. For now, keep it at Preserve.
+IncludeBlocks: Preserve
+
+# Designate CBMC contracts/macros that appear in .h files
+# as "attributes" so they don't get increasingly indented line after line
+BreakBeforeBraces: Allman
+WhitespaceSensitiveMacros: ['__contract__', '__loop__' ]
+Macros:
+ # Make this artifically long to avoid function bodies after short contracts
+ - __contract__(x)={ void a; void b; void c; void d; void e; void f; } void abcdefghijklmnopqrstuvw()
+ - __loop__(x)={}
+ # Make this artifically long to force line break
+ - MLK_INTERNAL_API=void abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefg();
@@ -0,0 +1,49 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Lint
+description: Lint MLKEM-C_AArch64
+
+inputs:
+  nix-shell:
+    description: Run in the specified Nix environment if exists
+    default: "ci-linter"
+  nix-cache:
+    description: Determine whether to enable nix cache
+    default: "false"
+  nix-verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  custom_shell:
+    description: The shell to use. Only relevant if no nix-shell specified
+    default: "bash"
+  cross-prefix:
+    description: Binary prefix for cross compilation
+    default: ""
+  gh_token:
+    description: Github access token to use
+    required: true
+runs:
+  using: composite
+  steps:
+      - uses: ./.github/actions/setup-shell
+        with:
+          nix-shell: ${{ inputs.nix-shell }}
+          custom_shell: ${{ inputs.custom_shell }}
+          nix-cache: ${{ inputs.nix-cache }}
+          nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
+          script: |
+            cat >> $GITHUB_STEP_SUMMARY << EOF
+              ## Setup
+              Architecture: $(uname -m)
+              - $(uname -a)
+              - $(nix --version)
+              - $(clang-format --version)
+              - $(${{ matrix.target.cross-prefix }}gcc --version | grep -m1 "")
+              - $(bash --version | grep -m1 "")
+            EOF
+      - name: Run linter
+        shell: ${{ env.SHELL }}
+        run: |
+          echo "## Lint & Checks" >> $GITHUB_STEP_SUMMARY
+          lint
@@ -0,0 +1,163 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Setup nix
+description: Setup nix
+
+inputs:
+  script:
+    description: The script to be run in the nix shell
+    required: false
+  devShell:
+    description: The name of the devShell
+    required: true
+  cache:
+    description: Determine whether to enable nix cache
+    default: 'false'
+  verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  cache_prefix:
+    description: Fixed prefix of ID of Github cache entries that should be removed.
+    required: false
+  purge_cache:
+    description: Determine whether to purge cache with primary key or not
+    required: false
+    default: 'true'
+  gh_token:
+    description: Github access token to use
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Nix install mode
+      shell: bash
+      run: |
+        if [[ ${{ runner.os }} != 'Linux' || $USER == 'root' ]]; then
+          echo "NIX_INSTALL_MODE=multi" >> $GITHUB_ENV
+        fi
+    - name: Pre-check nix
+      id: nix-pre-check
+      if: ${{ env.NIX_SHELL == '' }}
+      shell: bash -lo pipefail {0}
+      run: |
+        suppress() {
+          local exit_code="$?"
+          local line_no="$1"
+          echo "Nix check failed at $line_no: $exit_code"
+          echo "installed=false" >> $GITHUB_OUTPUT
+          exit 0
+        }
+
+        trap 'suppress $LINENO' ERR
+
+        nix --version
+        nix config show | grep -E "^trusted-users = .*$USER"
+        nix config show | grep -E "^experimental-features = .*flakes"
+        nix config show | grep -E "^experimental-features = .*nix-command"
+    - name: Install Nix
+      shell: bash
+      if: ${{ steps.nix-pre-check.outputs.installed == 'false' }}
+      env:
+        GH_TOKEN: ${{ inputs.gh_token }}
+      run: |
+        echo "::group::Nix installation"
+        mkdir -p ~/.config/nix
+
+        if [[ $NIX_INSTALL_MODE == 'multi' ]]; then
+          curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install \
+          --no-confirm \
+          --extra-conf "trusted-users = ${USER:-}" \
+          --extra-conf "experimental-features = nix-command flakes"
+        else
+          sh <(curl -L https://nixos.org/nix/install) --no-daemon
+
+        cat >> ~/.config/nix/nix.conf << EOF
+          trusted-users = ${USER:-}
+          experimental-features = nix-command flakes
+          substituters = https://cache.nixos.org/
+          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          max-jobs = auto
+        EOF
+        fi
+
+        if [[ ! -z $GH_TOKEN ]]; then
+           mkdir -p ~/.config/nix
+           echo "access-tokens = github.com=$GH_TOKEN" >> ~/.config/nix/nix.conf
+        fi
+
+        if command -v gh >/dev/null 2>&1; then
+          limit=$(gh api rate_limit --jq '.rate.remaining')
+          reset=$(gh api rate_limit --jq '.rate.reset')
+          now=$(date +%s)
+          if [[ $limit < 10 ]]; then
+            wait=$(( reset - now ))
+            echo "Rate limit remaining is $limit less then 10, waiting for $wait secs to retry"
+            sleep $wait
+          else
+            echo "Rate limit remaining is $limit greater than 10, no need to wait"
+          fi
+        else
+            echo "GitHub CLI is not installed."
+        fi
+
+        if [[ $NIX_INSTALL_MODE == 'multi' ]]; then
+          . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        else
+          . ~/.nix-profile/etc/profile.d/nix.sh
+        fi
+        echo "$(dirname $(which nix))" >> $GITHUB_PATH
+        nix profile install nixpkgs/nixos-24.05#sqlite
+        echo "::endgroup::"
+    - name: Post-check nix
+      id: nix-post-check
+      continue-on-error: true
+      shell: bash -lo pipefail {0}
+      run: |
+        echo "::group::nix config"
+        if [[ -z "${{ inputs.cache_prefix }}" ]]; then
+          cache_prefix="${{ runner.os }}-${{ runner.arch }}-${{ inputs.devShell }}"
+        else
+          cache_prefix="${{ inputs.cache_prefix }}"
+        fi
+        if [[ ! -z $NIX_INSTALL_MODE ]]; then
+          cache_prefix="$cache_prefix-$NIX_INSTALL_MODE"
+        fi
+
+        echo "cache_prefix=$cache_prefix" >> $GITHUB_OUTPUT
+
+        nix config check
+        nix config show
+        echo "::endgroup::"
+    - uses: nix-community/cache-nix-action@8351fb9f51c580c96c509987ebb99e38aed956ce # v5.2.1
+      id: cache
+      if: ${{ env.NIX_CACHE_ENABLED != 1 && inputs.cache == 'true' }}
+      continue-on-error: true
+      with:
+        primary-key: ${{ steps.nix-post-check.outputs.cache_prefix }}-${{ hashFiles('**/*.nix') }}
+        restore-prefixes-first-match: ${{ steps.nix-post-check.outputs.cache_prefix }}
+        gc-max-store-size-linux: 536870912
+        purge: ${{ inputs.purge_cache == 'true' }}
+        purge-prefixes: cache-${{ steps.nix-post-check.outputs.cache_prefix }}
+        purge-created: 0
+        purge-primary-key: ${{ inputs.purge_cache == 'true' && 'always' || 'never' }}
+        token: ${{ inputs.gh_token }}
+    - name: Set Shell
+      shell: bash -lo pipefail {0}
+      run: |
+        echo "::group::set nix shell"
+        if [[ "${{ steps.cache.outputs.hit-primary-key }}" == "true" ]]; then
+          echo NIX_CACHE_ENABLED=1 >> $GITHUB_ENV
+        fi
+
+        echo NIX_SHELL="${{ inputs.devShell }}" >> $GITHUB_ENV
+        nix_extra_flags="${{ inputs.verbose == 'false' && '--quiet' || '' }}"
+        echo SHELL="$(which nix) develop $nix_extra_flags .#${{ inputs.devShell }} -c bash -e {0}" >> $GITHUB_ENV
+        echo "::endgroup::"
+    - name: Prepare nix dev shell
+      shell: ${{ env.SHELL }}
+      run: |
+    - name: Dependency check
+      shell: ${{ env.SHELL }}
+      if: inputs.script != ''
+      run: eval ${{ inputs.script }}
@@ -0,0 +1,50 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: Set Shell
+description: Setup nix or custom shell for workflows
+
+inputs:
+  nix-shell:
+    description: Run in the specified Nix environment if exists. If empty, custom shell will be used instead of nix.
+    default: 'ci'
+  nix-cache:
+    description: Determine whether to enable nix cache
+    default: 'false'
+  nix-cache-prefix:
+    description: Fixed prefix of ID of Github cache entries that should be removed.
+    required: false
+  nix-verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  custom_shell:
+    description: The shell to use. Only relevant if no nix-shell specified
+    default: 'bash'
+  script:
+    description: The script to be run in the nix shell
+    required: false
+  gh_token:
+    description: Github access token to use
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup nix
+      uses: ./.github/actions/setup-nix
+      if: ${{ inputs.nix-shell != '' }}
+      with:
+        devShell: ${{ inputs.nix-shell }}
+        gh_token: ${{ inputs.gh_token }}
+        verbose: ${{ inputs.nix-verbose }}
+        cache: ${{ inputs.nix-cache }}
+        script: ${{ inputs.script }}
+        cache_prefix: ${{ inputs.nix-cache-prefix }}
+    - name: Set custom shell
+      shell: bash
+      if: ${{ inputs.nix-shell == '' }}
+      run: |
+          echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV
+
+          if [[ "${{ inputs.script }}" != '' ]]; then
+            eval ${{ inputs.script }}
+          fi
@@ -16,6 +16,25 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  lint:
+    strategy:
+      fail-fast: false
+      matrix:
+        system: [ubuntu-latest, pqcp-arm64]
+    name: Linting
+    runs-on: ${{ matrix.system }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./.github/actions/lint
+        with:
+          nix-shell: ci-linter
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          cross-prefix: "aarch64-unknown-linux-gnu-"
+  lint-markdown-link:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: gaurav-nelson/github-action-markdown-link-check@1b916f2cf6c36510a6059943104e3c42ce6c16bc # v1.0.16
   quickcheck:
     strategy:
       fail-fast: false
@@ -37,4 +56,4 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: make quickcheck
         run: |
-          make quickcheck
+          make quickcheck
@@ -1,3 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
-test/build
+test/build
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
+# Last matching pattern has precedence
+
+* @pq-code-package/pqcp-mldsa-native-admin
@@ -0,0 +1,11 @@
+[//]: # (SPDX-License-Identifier: CC-BY-4.0)
+
+# Maintainers
+
+## Active Maintainers
+
+| Name                    | GitHub                                          | Affliation
+|-------------------------|-------------------------------------------------|----------------------
+| Hanno Becker            | [hanno-becker](https://github.com/hanno-becker) | AWS                  |
+| Matthias J. Kannwischer | [mkannwischer](https://github.com/mkannwischer) | Chelpis Quantum Corp |
+| Jake Massimo            | [jakemas](https://github.com/jakemas)           | AWS                  |
@@ -48,4 +48,4 @@ lib: $(BUILD_DIR)/libmldsa.a $(BUILD_DIR)/libmldsa44.a $(BUILD_DIR)/libmldsa65.a
 
 clean:
 	-$(RM) -rf *.gcno *.gcda *.lcov *.o *.so
-	-$(RM) -rf $(BUILD_DIR)
+	-$(RM) -rf $(BUILD_DIR)