Skip to content

Update pipeline build #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Update pipeline build #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
a071d6b
Fix build_docker_images.yml.
Guiliano99 Jun 13, 2025
839f52c
Update Dockerfile.base for StatefulSignature keys.
Guiliano99 Jun 13, 2025
8ffbff3
Update check_quality.yml.
Guiliano99 Jun 13, 2025
bb26642
Update check_quality.yml.
Guiliano99 Jun 13, 2025
f8aab1c
Update check_quality.yml.
Guiliano99 Jun 13, 2025
725ce16
Remove version check for liboqs sign with context.
Guiliano99 Jun 30, 2025
a29fdb3
Update Dockerfile.base to use python-liboqs again.
Guiliano99 Aug 11, 2025
85097fe
Merge branch 'main' into UpdatePipelineBuild
Guiliano99 Aug 11, 2025
5a0bc63
Add licenses/Run ruff
Guiliano99 Aug 11, 2025
3bcc6cf
Fix Dockerfile.base liboqs-python name.
Guiliano99 Aug 12, 2025
044c944
Update dep. cryptography==45.0.6
Guiliano99 Aug 13, 2025
1e19e8f
Update dep. jinja2==3.1.6.
Guiliano99 Aug 13, 2025
332f515
Remove spaces in client tests.
Guiliano99 Aug 13, 2025
c21fc44
Merge remote-tracking branch 'origin/main' into UpdatePipelineBuild
Guiliano99 Nov 2, 2025
aa5b206
Update ruff min. version to 0.14.3.
Guiliano99 Nov 2, 2025
498efb6
Add make dryrun test to pipeline.
Guiliano99 Nov 2, 2025
217fab1
Change liboqs-python to branch from Guiliano99.
Guiliano99 Nov 2, 2025
fff6d1a
Add check_quality.yml hob rf-run-able.
Guiliano99 Nov 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions .github/workflows/build_docker_images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ name: Build and push base docker images
on:
push:
paths:
- 'data/dockerfiles/Dockerfile.*'
- 'requirements*.txt'
- 'data/dockerfiles/Dockerfile.*'
- '.github/workflows/build_docker_images.yml'
- 'requirements*.txt'
workflow_dispatch:

jobs:
Expand All @@ -36,28 +37,33 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# Some accounts did not use a lowercase repository owner, so we need to ensure
# that the repository owner is always in lowercase to be able to build the images.
- name: Set lowercase GitHub owner
run: echo "REPO_OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV

- name: Build and push base Docker image
run: |
docker buildx build \
--tag ghcr.io/${{ github.repository_owner }}/cmp-test-base:latest \
--tag ghcr.io/${REPO_OWNER_LC}/cmp-test-base:latest \
--push \
-f data/dockerfiles/Dockerfile.base .

- name: Build and push dev Docker image
run: |
docker buildx build \
--tag ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest \
--build-arg BASE_IMAGE=ghcr.io/${{ github.repository_owner }}/cmp-test-base:latest \
--tag ghcr.io/${REPO_OWNER_LC}/cmp-test-dev:latest \
--build-arg BASE_IMAGE=ghcr.io/${REPO_OWNER_LC}/cmp-test-base:latest \
--push \
-f data/dockerfiles/Dockerfile.dev .

- name: Build and push the production test suite Docker image
# This one is meant to be directly invoked by end-users who don't want to get into the details
# of how the test suite works, they just want to run it to test their CA. For their convenience,
# we give it a short name, to be invoked as `docker run --rm -it ghcr.io/siemens/cmp-test`
# This one is meant to be directly invoked by end-users who don't want to get into the details
# of how the test suite works, they just want to run it to test their CA. For their convenience,
# we give it a short name, to be invoked as `docker run --rm -it ghcr.io/siemens/cmp-test`
run: |
docker buildx build \
--tag ghcr.io/${{ github.repository_owner }}/cmp-test:latest \
--build-arg BASE_IMAGE=ghcr.io/${{ github.repository_owner }}/cmp-test-base:latest \
--tag ghcr.io/${REPO_OWNER_LC}/cmp-test:latest \
--build-arg BASE_IMAGE=ghcr.io/${REPO_OWNER_LC}/cmp-test-base:latest \
--push \
-f data/dockerfiles/Dockerfile.tests .
164 changes: 102 additions & 62 deletions .github/workflows/check_quality.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,70 +17,111 @@ jobs:
# Stage 1: fast and basic checks, we run them in parallel to provide more feedback to the contributor at once,
# instead of running them sequentially and giving feedback one piece at a time, requiring more iterations.
ruff_lint:
needs: prepare_env
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Code style
run: ruff check
- uses: actions/checkout@v4
- name: Code style (ruff)
run: docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" ruff check

license_check:
needs: prepare_env
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: License check
run: reuse lint
- uses: actions/checkout@v4
- name: License check (reuse)
run: docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" reuse lint

rf_style_check:
rf-run-able:
# Checks if the RobotFramework tests can be executed (dryrun). If not, uploads the artifacts for debugging.
# Sometimes it is import error or some sub dependency missing, this helps to identify such issues early.
needs: prepare_env
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: RobotFramework style check
run: robocop check --ignore VAR04
- uses: actions/checkout@v4

# 1) Run dryrun but don't stop the job on failure
- name: RobotFramework run-ability check
id: dryrun
continue-on-error: true
run: |
set -euo pipefail
docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" \
make dryrun

# 2) Upload ONLY if the dryrun step failed
- name: Upload RobotFramework artifacts (only if dryrun failed)
if: ${{ steps.dryrun.outcome == 'failure' }}
uses: actions/upload-artifact@v4
with:
name: robot-dryrun-artifacts-${{ github.run_id }}
path: |
./output.xml
./log.html
./report.html
if-no-files-found: warn
retention-days: 14

# 3) Fail the job if dryrun failed (after uploading)
- name: Mark job as failed if dryrun failed
if: ${{ steps.dryrun.outcome == 'failure' }}
run: exit 1

rf_style_check:
needs: prepare_env
runs-on: ubuntu-22.04
# We haven't settled on a style for RobotFramework yet, enforce check when consensus is reached
continue-on-error: true
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- uses: actions/checkout@v4
- name: RobotFramework style check (robocop)
run: docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" robocop check --ignore VAR04

spelling_check:
needs: prepare_env
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Spelling checker
run: codespell . --check-filenames --skip *.html,*.pem,*.xml,*venv*,*fips/*.py,*/announcement.py,./data/rfc_test_vectors/*
- uses: actions/checkout@v4
- name: Spelling checker (codespell)
run: |
docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" \
codespell . --check-filenames --skip "*.html,*.pem,*.xml,*venv*,*fips/*.py,*/announcement.py,./data/rfc_test_vectors/*"

dependency_check:
# See if newer versions of our Python dependencies are available. This does
# not enforce anything, and only has an informational character.
needs: prepare_env
runs-on: ubuntu-22.04
continue-on-error: true
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Check for outdated dependencies
run: |
echo "Checking for outdated packages..."
OUTDATED=$(pip list --outdated --format=columns)
if [ -z "$OUTDATED" ]; then
echo "All packages are up to date!"
exit 0
else
echo "Outdated packages detected, think about it:"
echo "$OUTDATED"
exit 1
fi
docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" bash -c '
echo "Checking for outdated packages..."
OUTDATED=$(pip list --outdated --format=columns)
if [ -z "$OUTDATED" ]; then
echo "All packages are up to date!"
exit 0
else
echo "Outdated packages detected, think about it:"
echo "$OUTDATED"
exit 1
fi'

version_check:
needs: prepare_env
runs-on: ubuntu-22.04
steps:
- name: Checkout code
Expand All @@ -98,41 +139,40 @@ jobs:
# Stage 2: these checks are more expensive and do more with the code, e.g., attempt to import dependencies,
# execute some logic, etc.
pylint:
needs: [ruff_lint, license_check, rf_style_check, spelling_check]
# needs must include prepare_env, as it is used to set the image name.
needs: [prepare_env, ruff_lint, license_check, rf_style_check, spelling_check]
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/checkout@v4
- name: Pylint check
run: pylint --fail-under=9.4 resources
run: docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" pylint --fail-under=9.4 resources

unit_test:
needs: [ruff_lint, license_check, rf_style_check, spelling_check]
# needs must include prepare_env, as it is used to set the image name.
needs: [prepare_env, ruff_lint, license_check, rf_style_check, spelling_check]
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest
env:
OQS_INSTALL_PATH: "/root/_oqs"
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Unit tests
run: python3 -m unittest discover -s unit_tests
- uses: actions/checkout@v4
- name: Run unit tests
run: |
docker run --rm -v "$PWD:/workspace" -w /workspace -e OQS_INSTALL_PATH=/root/_oqs "$IMAGE" \
python3 -m unittest discover -s unit_tests

type_check:
needs: prepare_env
runs-on: ubuntu-22.04
container:
image: ghcr.io/${{ github.repository_owner }}/cmp-test-dev:latest

steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Pyright check
run: pyright
# not enforced yet, but it is still executed to provide some info
# not enforced yet, but it is still executed to provide some info.
continue-on-error: true
env:
IMAGE: ${{ needs.prepare_env.outputs.image_lc }}
steps:
- uses: actions/checkout@v4
- name: Pyright type check
run: docker run --rm -v "$PWD:/workspace" -w /workspace "$IMAGE" pyright

prepare_env:
runs-on: ubuntu-22.04
Expand Down
4 changes: 2 additions & 2 deletions client_tests/cmp_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ def get_cmp_command(client: str = "openssl", **kwargs) -> list: # noqa: D417
-------
- List of command-line arguments suitable for use with Run Process

Example:
-------
Examples:
--------
| ${args}= | Get CMP Command | openssl | cmd=ir | server=http://localhost:5000 | ... |

"""
Expand Down
3 changes: 1 addition & 2 deletions client_tests/cmp_tests_jinja.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: Copyright 2025 Siemens AG
# SPDX-FileCopyrightText: Copyright 2025 Siemens AG # robocop: off=COM04
#
# SPDX-License-Identifier: Apache-2.0

Expand Down Expand Up @@ -48,7 +48,6 @@ IR 01 - Valid IR CMP Request Should Pass
... The OpenSSL client output should not contain any errors,
... and a certificate should be written to the specified path.
[Tags] ir valid positive

${args}= Get CMP Command
... ${CMP_CLIENT}
... cmd=${INITIATION_REQUEST}
Expand Down
4 changes: 2 additions & 2 deletions data/dockerfiles/Dockerfile.base
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ RUN pip3 install --upgrade pip && \
pip3 install -r /app/requirements.txt

# Build and install liboqs-python
RUN git clone --depth=1 https://github.com/open-quantum-safe/liboqs-python && \
pip3 install ./liboqs-python && \
RUN git clone --depth=1 https://github.com/Guiliano99/liboqs-python-stateful-sig && \
pip3 install ./liboqs-python-stateful-sig && \
python3 -c "import oqs" # Trigger the build of liboqs, by importing it

# Remove unnecessary packages after we're done
Expand Down
2 changes: 1 addition & 1 deletion requirements-dev.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
safety>= 3.3.1, < 4.0.0
pylint>= 4.0.2, < 5.0.0
black>= 25.0.0, < 26.0.0
ruff>= 0.12.12, < 1.0.0
ruff>= 0.14.3, < 1.0.0
robotframework-robocop==6.9.2
robotframework-tidy==4.18.0
pyright==1.1.407
Expand Down
Loading