Add CBMC proofs to CI

The setup is closely following mlkem-native (which makes it slightly more
elaborate than we need right now, but it will make it easier in the future
to align the functonality).

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

.github/actions/cbmc/action.yml

@@ -0,0 +1,54 @@
+# Copyright (c) The mlkem-native project authors
+# Copyright (c) The slhdsa-c project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: CBMC
+description: Run CBMC proofs for slhdsa-c
+
+inputs:
+  nix-shell:
+    description: Run in the specified Nix environment if exists
+    default: "ci-cbmc"
+  nix-cache:
+    description: Determine whether to enable nix cache
+    default: 'true'
+  nix-verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  custom_shell:
+    description: The shell to use. Only relevant if use-nix is 'false'
+    default: "bash"
+  gh_token:
+    description: Github access token to use
+    required: true
+runs:
+  using: composite
+  steps:
+      - uses: ./.github/actions/setup-shell
+        with:
+          nix-shell: ${{ inputs.nix-shell }}
+          nix-cache: ${{ inputs.nix-cache }}
+          nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
+          custom_shell: ${{ inputs.custom_shell }}
+          script: |
+
+            if [[ ${{ inputs.nix-shell }} != '' ]]; then
+              nix-collect-garbage
+            fi
+
+            cat >> $GITHUB_STEP_SUMMARY << EOF
+              ## Setup
+              Architecture: $(uname -m)
+              - $(nix --version)
+              - $(cbmc --version)
+              - litani Version $(litani --version)
+              - Cadical Version $(cadical --version)
+              - $(bash --version | grep -m1 "")
+            EOF
+      - name: Run CBMC proofs
+        shell: ${{ env.SHELL }}
+        run: |
+          cd proofs/cbmc
+          python3 run-cbmc-proofs.py --summarize --no-coverage -j$(nproc)
+

.github/actions/setup-nix/action.yml

@@ -0,0 +1,138 @@
+# Copyright (c) The mlkem-native project authors
+# Copyright (c) The slhdsa-c project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: Setup nix
+description: Setup nix
+
+inputs:
+  script:
+    description: The script to be run in the nix shell
+    required: false
+  devShell:
+    description: The name of the devShell
+    required: true
+  cache:
+    description: Determine whether to enable nix cache
+    default: 'false'
+  verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  cache_prefix:
+    description: Fixed prefix of ID of Github cache entries that should be removed.
+    required: false
+  save_cache:
+    description: Determine whether to save cache with primary key or not
+    required: false
+    default: 'false'
+  gh_token:
+    description: Github access token to use
+    required: true
+  install:
+    required: false
+    description: Determine how to install nix ('installer' | 'apt')
+    default: 'installer'
+
+runs:
+  using: composite
+  steps:
+    - name: Pre-check nix
+      id: nix-pre-check
+      if: ${{ env.NIX_SHELL == '' }}
+      shell: bash -lo pipefail {0}
+      run: |
+        suppress() {
+          local exit_code="$?"
+          local line_no="$1"
+          echo "Nix check failed at $line_no: $exit_code"
+          echo "installed=false" >> $GITHUB_OUTPUT
+          exit 0
+        }
+
+        trap 'suppress $LINENO' ERR
+
+        if [[ $USER == 'root' ]]; then
+          mkdir -p /root
+          echo "HOME=/root" >> $GITHUB_ENV
+        fi
+
+        nix --version
+    - name: Install nix via apt
+      if: ${{ steps.nix-pre-check.outputs.installed == 'false' && inputs.install == 'apt' }}
+      shell: bash
+      run: |
+        if [[ -f /.dockerenv ]]; then
+          apt install nix -y
+        else
+          sudo apt install nix -y
+        fi
+        mkdir -p ~/.config/nix
+        cat >> ~/.config/nix/nix.conf << EOF
+          experimental-features = nix-command flakes
+        EOF
+
+        if [[ ! -z $GH_TOKEN ]]; then
+          echo "access-tokens = github.com=$GH_TOKEN" >> ~/.config/nix/nix.conf
+        fi
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      if: ${{ steps.nix-pre-check.outputs.installed == 'false' }}
+      with:
+        github_access_token: ${{ inputs.gh_token }}
+    - name: Post-check nix
+      id: nix-post-check
+      continue-on-error: true
+      shell: bash -lo pipefail {0}
+      run: |
+        echo "::group::nix config"
+        if [[ -z "${{ inputs.cache_prefix }}" ]]; then
+          cache_prefix="${{ runner.os }}-${{ runner.arch }}"
+        else
+          cache_prefix="${{ inputs.cache_prefix }}"
+        fi
+
+        echo "cache_prefix=$cache_prefix" >> $GITHUB_OUTPUT
+
+        if [[ "${{ steps.nix-pre-check.outputs.installed }}" == 'false' ]]; then
+          sudo chown -R $USER:nixbld /nix
+        fi
+
+        nix profile install nixpkgs/nixos-24.11#sqlite
+        nix config show
+        echo "::endgroup::"
+    - uses: nix-community/cache-nix-action@dab0514428ae3988852b7787a6d86a6fc571cc9d #v6.0.0
+      id: cache
+      if: ${{ env.NIX_CACHE_ENABLED != 1 && inputs.cache == 'true' }}
+      continue-on-error: true
+      with:
+        primary-key: ${{ steps.nix-post-check.outputs.cache_prefix }}-${{ hashFiles('**/*.nix') }}
+        restore-prefixes-first-match: ${{ steps.nix-post-check.outputs.cache_prefix }}
+        gc-max-store-size-linux: 536870912
+        purge: ${{ inputs.save_cache == 'true' }}
+        save: ${{ inputs.save_cache == 'true' }}
+        purge-prefixes: cache-${{ steps.nix-post-check.outputs.cache_prefix }}
+        purge-created: 0
+        purge-primary-key: ${{ inputs.save_cache == 'true' && 'always' || 'never' }}
+        token: ${{ inputs.gh_token }}
+    - name: Set Shell
+      shell: bash -lo pipefail {0}
+      run: |
+        echo "::group::set nix shell"
+        if [[ "${{ steps.cache.outputs.hit-primary-key }}" == "true" ]]; then
+          echo NIX_CACHE_ENABLED=1 >> $GITHUB_ENV
+        fi
+
+        echo NIX_SHELL="${{ inputs.devShell }}" >> $GITHUB_ENV
+        nix_extra_flags="${{ inputs.verbose == 'false' && '--quiet' || '' }}"
+        if [[ ${{ inputs.install }} == 'apt' && ! -f /.dockerenv ]]; then
+          echo SHELL="sudo $(which nix) develop $nix_extra_flags .#${{ inputs.devShell }} -c bash -e {0}" >> $GITHUB_ENV
+        else
+          echo SHELL="$(which nix) develop $nix_extra_flags .#${{ inputs.devShell }} -c bash -e {0}" >> $GITHUB_ENV
+        fi
+        echo "::endgroup::"
+    - name: Prepare nix dev shell
+      shell: ${{ env.SHELL }}
+      run: |
+    - name: Dependency check
+      shell: ${{ env.SHELL }}
+      if: inputs.script != ''
+      run: eval ${{ inputs.script }}

.github/actions/setup-shell/action.yml

@@ -0,0 +1,52 @@
+# Copyright (c) The mlkem-native project authors
+# Copyright (c) The slhdsa-c project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: Set Shell
+description: Setup nix or custom shell for workflows
+
+inputs:
+  nix-shell:
+    description: Run in the specified Nix environment if exists. If empty, custom shell will be used instead of nix.
+    default: 'ci'
+  nix-cache:
+    description: Determine whether to enable nix cache
+    default: 'false'
+  nix-cache-prefix:
+    description: Fixed prefix of ID of Github cache entries that should be removed.
+    required: false
+  nix-verbose:
+    description: Determine wether to suppress nix log or not
+    default: 'false'
+  custom_shell:
+    description: The shell to use. Only relevant if no nix-shell specified
+    default: 'bash'
+  script:
+    description: The script to be run in the nix shell
+    required: false
+  gh_token:
+    description: Github access token to use
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup nix
+      uses: ./.github/actions/setup-nix
+      if: ${{ inputs.nix-shell != '' }}
+      with:
+        devShell: ${{ inputs.nix-shell }}
+        gh_token: ${{ inputs.gh_token }}
+        verbose: ${{ inputs.nix-verbose }}
+        cache: ${{ inputs.nix-cache }}
+        script: ${{ inputs.script }}
+        cache_prefix: ${{ inputs.nix-cache-prefix }}
+    - name: Set custom shell
+      shell: bash
+      if: ${{ inputs.nix-shell == '' }}
+      run: |
+          echo SHELL="${{ inputs.custom_shell }}" >> $GITHUB_ENV
+
+          if [[ "${{ inputs.script }}" != '' ]]; then
+            eval ${{ inputs.script }}
+          fi

.github/workflows/all.yml

@@ -0,0 +1,32 @@
+# Copyright (c) The mlkem-native project authors
+# Copyright (c) The slhdsa-c project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: CI
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+    types: [ "opened", "synchronize" ]
+jobs:
+  nix:
+    name: Nix
+    permissions:
+      actions: 'write'
+      contents: 'read'
+      id-token: 'write'
+    uses: ./.github/workflows/nix.yml
+    secrets: inherit
+  cbmc:
+    name: CBMC
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    needs: [ nix ]
+    uses: ./.github/workflows/cbmc.yml
+    secrets: inherit
+    

.github/workflows/cbmc.yml

@@ -0,0 +1,20 @@
+# Copyright (c) The mlkem-native project authors
+# Copyright (c) The slhdsa-c project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: CBMC
+permissions:
+  contents: read
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  cbmc:
+    name: CBMC
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ./.github/actions/cbmc
+        with:
+          gh_token: ${{ secrets.GITHUB_TOKEN }}