Runnable Assurance (Sentinel v2.4) #65
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Runnable Assurance (Sentinel v2.4) | |
| # Executes the runnable proof obligations behind the governance artifacts: | |
| # OPA policy tests, TLA+ TLC model check, GC-IR cross-target harness, and the | |
| # SRC-1 Groth16 concentration-bound proof flow. | |
| on: | |
| push: | |
| paths: | |
| - 'governance_artifacts/**' | |
| - '.github/workflows/runnable-assurance.yml' | |
| pull_request: | |
| paths: | |
| - 'governance_artifacts/**' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| runnable-assurance: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Set up Java (for TLA+ TLC) | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: '17' | |
| - name: Install Python deps | |
| run: pip install pyyaml jsonschema dilithium-py pytest | |
| - name: Install OPA | |
| run: | | |
| curl -sSL -o /usr/local/bin/opa https://openpolicyagent.org/downloads/v0.70.0/opa_linux_amd64_static | |
| chmod +x /usr/local/bin/opa | |
| opa version | |
| - name: Install circom 2.1.9 | |
| run: | | |
| mkdir -p "$HOME/.local/bin" | |
| curl -L -o "$HOME/.local/bin/circom" https://github.com/iden3/circom/releases/download/v2.1.9/circom-linux-amd64 | |
| chmod +x "$HOME/.local/bin/circom" | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| - name: Install snarkjs + circomlib | |
| working-directory: governance_artifacts/zk | |
| run: npm install | |
| - name: Fetch TLA+ tools | |
| run: | | |
| mkdir -p governance_artifacts/tla/tools | |
| curl -L -o governance_artifacts/tla/tools/tla2tools.jar \ | |
| https://github.com/tlaplus/tlaplus/releases/download/v1.7.4/tla2tools.jar | |
| - name: Compile circuits | |
| working-directory: governance_artifacts/zk | |
| run: | | |
| circom circuits/src1_concentration_bound.circom --r1cs --wasm --sym --O0 -o circuits/ | |
| circom circuits/src_fair1_reason_code_check.circom --r1cs --wasm --sym --O0 -o circuits/ | |
| - name: Unit tests (routing + PQC WORM) | |
| run: | | |
| pytest governance_artifacts/routing/test_sara_acr_router.py -q | |
| pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q | |
| - name: Run runnable assurance suite | |
| run: bash governance_artifacts/run_runnable_assurance.sh |