Add attestation-based CI

[aryairani]

Overview

This PR implements a attestation-based CI system moves a bunch of the work to before you git push and also caches results for speed.

The goal is that we could get PRs as far as the "ready to merge" state before having to run a million hours in CI.

• Git hooks run the checks and cache the results. pre-commit just warns if there are failures, pre-push will block a push by default if it would fail CI, but you can override it if you just want to save your stuff to Github.
• on feature branches: CI only verifies proofs exist (<10 seconds)
• on trunk: Full tests still run on all architectures, but transcripts don't (tbd)

./scripts/check.sh, which is the one-stop shop for checks, now uses cached test results if available.

Usage

Git hooks

Install the git hooks with ./scripts/hooks/install.bash, and that's it.

Manual way

1. Run ./scripts/check.sh (because it runs the tests and the transcripts) or the individual ./scripts/proofs/*.sh
2. Check in: .github/workflows/proofs/*

Implementation approach and notes

• Tracked proofs vs local (untracked) proofs
  • Local proofs (.gitignored in .local-proofs) keep the last 100 checks around for reuse; dropping the least recently added.
  • Version-controlled proofs file normally contains just the single current hash for CI to verify, git attribute merge=union to avoid always having a merge conflict
• dependencies are listed with glob patterns in the respective scripts/proofs/*.sh script
  • the "code" files (.yaml, .hs, .md) vs the "infrastructure" files (scripts/proofs/*.sh) are hashed separately, so that the latter can be a warning.
• ci.yaml has a verify-proofs job on feature branches instead of running actual tests.
• stack test and interpreter tests still run on trunk to catch any issues that slip through.
• transcript tests don't get run on trunk, they become only part of the PR to verify output changes, not part of testing per se; although a transcript could be viewed either way.
• The pre-push hook handles the workflow automatically: computes hash → checks local proofs → runs tests if needed → amends commit with proof → pushes
• Used .gitattributes with merge=union to auto-merge proof files and avoid conflicts

Interesting/controversial decisions

• when to ignore errors, warn, or block a git operation by default?
• keep last 100 checks locally. need to think if this actually provides anything that the tracked file alone doesn't

Test coverage

tested these cases manually:

• attestation in local file but not in shared file: skips tests and writes shared file
• attestation in shared file but not in local file: adds it to local file
• modifying a key file invalidates attestation
• modifying a non-key file doesn't invalidate attestation
• ci fails if key file modified

Loose ends

• when do we check and update transcripts on non-FF merges?
• want to make transcripts faster to run in general, whether by consolidating them into fewer or what
• maybe transcripts should run in CI instead of locally? but they do need to get checked in, and doing that in CI is crappier than it should be.

Final checklist