Runnable Assurance (Sentinel v2.4) #68
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Runnable Assurance (Sentinel v2.4) | |
| # Executes the runnable proof obligations behind the governance artifacts: | |
| # OPA policy tests, TLA+ TLC model checks, GC-IR cross-target harness, the | |
| # SRC-1 Groth16 concentration-bound proof + relayer pipeline, Solidity contract | |
| # hardening, the 2028 pilot acceptance-gate checklist, and the next-app dashboard | |
| # security test suite. | |
| on: | |
| push: | |
| paths: | |
| - 'governance_artifacts/**' | |
| - 'governance_blueprint/**' | |
| - 'next-app/**' | |
| - '.github/workflows/runnable-assurance.yml' | |
| pull_request: | |
| paths: | |
| - 'governance_artifacts/**' | |
| - 'governance_blueprint/**' | |
| - 'next-app/**' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| runnable-assurance: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Set up Java (for TLA+ TLC) | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: '17' | |
| - name: Install Python deps | |
| run: pip install pyyaml jsonschema dilithium-py pytest | |
| - name: Install OPA | |
| run: | | |
| curl -sSL -o /usr/local/bin/opa https://openpolicyagent.org/downloads/v0.70.0/opa_linux_amd64_static | |
| chmod +x /usr/local/bin/opa | |
| opa version | |
| - name: Install circom 2.1.9 | |
| run: | | |
| mkdir -p "$HOME/.local/bin" | |
| curl -L -o "$HOME/.local/bin/circom" https://github.com/iden3/circom/releases/download/v2.1.9/circom-linux-amd64 | |
| chmod +x "$HOME/.local/bin/circom" | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| - name: Install snarkjs + circomlib | |
| working-directory: governance_artifacts/zk | |
| run: npm install | |
| - name: Install solc (for contract compile + zk relayer verifier) | |
| working-directory: governance_blueprint/contracts | |
| run: npm install | |
| - name: Set up Terraform (for pilot IaC gate) | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: '1.9.8' | |
| - name: Fetch TLA+ tools | |
| run: | | |
| mkdir -p governance_artifacts/tla/tools | |
| curl -L -o governance_artifacts/tla/tools/tla2tools.jar \ | |
| https://github.com/tlaplus/tlaplus/releases/download/v1.7.4/tla2tools.jar | |
| - name: Compile circuits | |
| working-directory: governance_artifacts/zk | |
| run: | | |
| circom circuits/src1_concentration_bound.circom --r1cs --wasm --sym --O0 -o circuits/ | |
| circom circuits/src_fair1_reason_code_check.circom --r1cs --wasm --sym --O0 -o circuits/ | |
| - name: Unit tests (routing + PQC WORM + contract logic) | |
| run: | | |
| pytest governance_artifacts/routing/test_sara_acr_router.py -q | |
| pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q | |
| pytest governance_blueprint/contracts/test_contract_logic.py -q | |
| - name: Run runnable assurance suite | |
| run: bash governance_artifacts/run_runnable_assurance.sh | |
| - name: 2028 pilot acceptance-gate checklist | |
| run: python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py | |
| dashboard-tests: | |
| name: Dashboard security tests (next-app) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Install next-app deps | |
| working-directory: next-app | |
| run: npm install | |
| - name: Vitest (dashboard security + governance remediation) | |
| working-directory: next-app | |
| run: npx vitest run |