.github/workflows/basic.yml

name: Basic checks

permissions:
  contents: read

on: [workflow_call, workflow_dispatch]

jobs:
  workflowcheck:
    name: Check validity of GitHub workflows
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Ensure GitHub actions are valid
        run: actionlint -shellcheck "" # run *without* shellcheck

  stylecheck:
    name: Check code formatting
    needs: [workflowcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Ensure code conventions are upheld
        run: python3 -m pytest --verbose tests/test_code_conventions.py
      - name: Check that doxygen can parse the documentation
        run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build
      - name: Validate CBOM
        run: scripts/validate_cbom.sh

  upstreamcheck:
    name: Check upstream code is properly integrated
    needs: [workflowcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          git config --global user.name "ciuser" && \
          git config --global user.email "ci@openquantumsafe.org" && \
          git config --global --add safe.directory "$PWD" && \
          echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV"
      - name: Verify copy_from_upstream state after copy
        working-directory: "scripts/copy_from_upstream"
        run: |
          python3 copy_from_upstream.py -d copy && \
          git status --porcelain && \
          test -z "$(git status --porcelain)"
      - name: Verify copy_from_upstream state after libjade
        working-directory: "scripts/copy_from_upstream"
        run: |
          python3 copy_from_upstream.py -d libjade && \
          git status --porcelain && \
          test -z "$(git status --porcelain)"

  buildcheck:
    name: Check that code passes a basic build
    needs: [workflowcheck, stylecheck, upstreamcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      KEM_NAME: ml_kem_768
      SIG_NAME: ml_dsa_65
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          mkdir build && \
          cd build && \
          cmake -GNinja -DOQS_STRICT_WARNINGS=ON \
            -GNinja \
            -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \
            --warn-uninitialized .. > config.log 2>&1 && \
          cat config.log && \
          cmake -LA -N .. && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build code
        run: ninja
        working-directory: build
      - name: Build documentation
        run: ninja gen_docs
        working-directory: build

  cppcheck:
    name: Check C++ linking with example program
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      SIG_NAME: dilithium_2
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          mkdir build && \
          cd build && \
          cmake -GNinja -DOQS_STRICT_WARNINGS=ON \
            -GNinja \
            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
            --warn-uninitialized .. > config.log 2>&1 && \
          cat config.log && \
          cmake -LA -N .. && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build liboqs
        run: ninja
        working-directory: build
      - name: Link with C++ program
        run: |
          g++ ../cpp/sig_linking_test.cpp -g \
          -I./include -L./lib -loqs -lcrypto -std=c++11 -o example_sig && \
          ./example_sig
        working-directory: build

  fuzzbuildcheck:
    name: Check that code passes a basic fuzzing build
    needs: [workflowcheck, stylecheck, upstreamcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      SIG_NAME: dilithium_2
      CC: clang
      CXX: clang++
      CFLAGS: -fsanitize=fuzzer-no-link,address
      LDFLAGS: -fsanitize=address
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          mkdir build && \
          cd build && \
          cmake -GNinja -DOQS_STRICT_WARNINGS=ON \
            -DOQS_BUILD_FUZZ_TESTS=ON \
            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
            --warn-uninitialized .. > config.log 2>&1 && \
          cat config.log && \
          cmake -LA -N .. && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build code
        run: ninja fuzz_test_sig
        working-directory: build

      - name: Short fuzz check (30s)
        run: ./tests/fuzz_test_sig -max_total_time=30
        working-directory: build