-
Notifications
You must be signed in to change notification settings - Fork 12
234 lines (229 loc) · 8 KB
/
ci_ec2_reusable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
# SPDX-License-Identifier: Apache-2.0
name: ci-ec2-reusable
permissions:
contents: read
on:
workflow_call:
inputs:
name:
type: string
description: Alternative name of instance
default: Graviton2
ec2_instance_type:
type: string
description: Type if EC2 instance to benchmark on
default: t4g.small
ec2_ami:
type: string
description: Textual description of AMI
default: ubuntu-latest (aarch64)
ec2_ami_id:
type: string
description: AMI ID
default: ami-096ea6a12ea24a797
cflags:
type: string
description: Custom CFLAGS for compilation
default: ""
verbose:
description: Determine for the log verbosity
type: boolean
default: false
compile_mode:
type: string
description: either all, native, cross or none
default: all
opt:
type: string
description: either all, opt or no_opt
default: all
functest:
type: boolean
default: true
kattest:
type: boolean
default: true
nistkattest:
type: boolean
default: true
acvptest:
type: boolean
default: true
lint:
type: boolean
default: true
cbmc:
type: boolean
default: false
cbmc_mlkem_k:
type: string
default: 2
container:
type: string
default: ''
env:
AWS_ROLE: arn:aws:iam::559050233797:role/mlkem-c-aarch64-gh-action
AWS_REGION: us-east-1
AMI_UBUNTU_LATEST_X86_64: ami-0e86e20dae9224db8
AMI_UBUNTU_LATEST_AARCH64: ami-096ea6a12ea24a797
jobs:
start-ec2-runner:
name: Start instance (${{ inputs.ec2_instance_type }})
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
if: ${{ always() }} # The point is to make this step non-cancellable,
# avoiding race conditions where an instance is started,
# but isn't yet done registering as a runner and reporting back.
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Determine AMI ID
id: det_ami_id
run: |
if [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (x86_64)" ]]; then
AMI_ID=${{ env.AMI_UBUNTU_LATEST_X86_64 }}
elif [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (aarch64)" ]]; then
AMI_ID=${{ env.AMI_UBUNTU_LATEST_AARCH64 }}
elif [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (custom AMI)" ]]; then
AMI_ID=${{ inputs.ec2_ami_id }}
fi
echo "Using AMI ID: $AMI_ID"
echo "AMI_ID=$AMI_ID" >> $GITHUB_OUTPUT
- name: Clear nix-installer action cache
uses: ./.github/actions/clear-cache
with:
key_prefix: determinatesystem-nix-installer-
repository: ${{ github.repository }}
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: mkannwischer/ec2-github-runner@d15c8804522523d2bac7119a01ffff83b7795d87
with:
mode: start
github-token: ${{ secrets.AWS_GITHUB_TOKEN }}
ec2-image-id: ${{ steps.det_ami_id.outputs.AMI_ID }}
ec2-instance-type: ${{ inputs.ec2_instance_type }}
subnet-id: subnet-07b2729e5e065962f
security-group-id: sg-0ab2e297196c8c381
container_tests:
name: Run container tests
needs: start-ec2-runner
if: ${{ inputs.container != '' }}
runs-on: ${{ needs.start-ec2-runner.outputs.label }}
container:
localhost:5000/${{ inputs.container }}
steps:
- run: |
if which yum; then
yum install make git python3-venv -y
sudo pip3 install virtualenv
elif which apt; then
apt install make git python3-venv python3-venv -y
fi
git init
git remote add origin $GITHUB_SERVER_URL/GITHUB_REPOSITORY
git fetch origin --depth 1 $GITHUB_SHA
git checkout FETCH_HEAD
if which yum; then
virtualenv venv
elif which apt; then
python3 -m venv venv
fi
source venv/bin/activate
python3 -m pip install -r requirements.txt
echo "$(pwd)/venv/bin/" >> "$GITHUB_PATH"
# - uses: actions/checkout@v3
# - uses: ./.github/actions/setup-os
# with:
# sudo: ""
- name: make quickcheck
run: |
OPT=0 make quickcheck >/dev/null
make clean >/dev/null
OPT=1 make quickcheck >/dev/null
- name: Functional Tests
uses: ./.github/actions/multi-functest
with:
nix-shell: ""
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
cflags: ${{ inputs.cflags }}
compile_mode: ${{ inputs.compile_mode }}
opt: ${{ inputs.opt }}
func: ${{ inputs.functest }}
kat: ${{ inputs.kattest }}
nistkat: ${{ inputs.nistkattest }}
acvp: ${{ inputs.acvptest }}
tests:
name: Run tests
needs: start-ec2-runner
if: ${{ inputs.container == '' }}
runs-on: ${{ needs.start-ec2-runner.outputs.label }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Linting
if: ${{ inputs.lint }}
uses: ./.github/actions/lint
with:
nix-shell: ci-linter
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
nix-verbose: ${{ inputs.verbose }}
- name: Preprocess
id: preprocess
shell: bash
run: |
echo "nix-shell=${{ inputs.cbmc && 'ci-cbmc' || 'ci' }}${{ (inputs.compile_mode == 'cross' || inputs.compile_mode == 'all') && '-cross' || '' }}" >> $GITHUB_OUTPUT
- name: Functional Tests
uses: ./.github/actions/multi-functest
with:
nix-shell: ${{ steps.preprocess.outputs.nix-shell }}
nix-cache: ${{ inputs.cbmc || inputs.compile_mode == 'cross' || inputs.compile_mode == 'all' }}
nix-verbose: ${{ inputs.verbose }}
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
cflags: ${{ inputs.cflags }}
compile_mode: ${{ inputs.compile_mode }}
opt: ${{ inputs.opt }}
func: ${{ inputs.functest }}
kat: ${{ inputs.kattest }}
nistkat: ${{ inputs.nistkattest }}
acvp: ${{ inputs.acvptest }}
- name: CBMC
if: ${{ inputs.cbmc && (success() || failure()) }}
uses: ./.github/actions/cbmc
with:
nix-shell: ${{ steps.preprocess.outputs.nix-shell }}
nix-verbose: ${{ inputs.verbose }}
mlkem_k: ${{ inputs.cbmc_mlkem_k }}
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
stop-ec2-runner:
name: Stop instance (${{ inputs.ec2_instance_type }})
permissions:
contents: 'read'
id-token: 'write'
needs:
- start-ec2-runner
- tests
- container_tests
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Stop EC2 runner
uses: mkannwischer/ec2-github-runner@d15c8804522523d2bac7119a01ffff83b7795d87
with:
mode: stop
github-token: ${{ secrets.AWS_GITHUB_TOKEN }}
label: ${{ needs.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-ec2-runner.outputs.ec2-instance-id }}