.github/workflows/native_build.yml

name: Native
on: [push, pull_request]
env:
  CARGO_TERM_COLOR: always
  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
jobs:
  SyncBuildAndTestS:
    strategy:
      matrix:
        # XXX(RLB): It would be good to just use macos-latest here, but
        # apparently if you do that, sometimes you get an older (not latest)
        # version.  And we require v14 in order to build the CryptoKit provider.
        os: [ubuntu-latest, macos-14, windows-latest]
      fail-fast: false
    runs-on: ${{ matrix.os }}
    # TODO remove after AWS-LC FIPS bindings for Kyber are fixed
    env:
      AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: '1'
    steps:
      - uses: actions/checkout@v3
      - uses: arduino/setup-protoc@v2
        with:
          version: "25.x"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          save-if: ${{ github.ref == 'refs/heads/main' }}
      - uses: ilammy/setup-nasm@v1
        if: runner.os == 'Windows'
      - uses: actions/setup-go@v4
        with:
          go-version: '>=1.18'
      - uses: seanmiddleditch/gha-setup-ninja@master
        if: runner.os == 'Windows'
      # TODO remove after AWS-LC FIPS bindings for Kyber are fixed
      - name: Install bindgen-cli
        run: cargo install --force --locked bindgen-cli
      - run: |
          echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append
          vcpkg install openssl:x64-windows-static-md sqlite3:x64-windows-static-md
          echo "OPENSSL_DIR=C:/vcpkg/packages/openssl_x64-windows-static-md" | Out-File -FilePath $env:GITHUB_ENV -Append
          curl -o C:/cacert.pem https://curl.se/ca/cacert.pem
          echo "SSL_CERT_FILE=C:/cacert.pem" | Out-File -FilePath $env:GITHUB_ENV -Append
        if: runner.os == 'Windows'
      - run: |
          sudo apt-get install -y libsqlite3-dev
        if: runner.os == 'Linux'
      - name: Test Full RFC Compliance
        # Don't test AWS LC on all features as it makes it build both FIPS and non-FIPS versions
        run: cargo test --all-features --verbose --workspace --exclude mls-rs-crypto-aws-lc
      - name: Test AWS-LC provider
        run: |
          cargo test --verbose -p mls-rs-crypto-awslc --features post-quantum
          cargo test --verbose -p mls-rs-crypto-awslc --features post-quantum,fips --no-default-features
      - name: Test Bare Bones
        run: cargo test --no-default-features --features std,test_util,non-fips  --verbose --workspace
      - name: Examples
        working-directory: mls-rs
        run: cargo run --example basic_usage
  AsyncBuildAndTest:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
      fail-fast: false
    runs-on: ${{ matrix.os }}
    env:
      RUSTFLAGS: '--cfg mls_build_async'
    steps:
      - uses: actions/checkout@v3
      - uses: arduino/setup-protoc@v2
        with:
          version: "25.x"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          save-if: ${{ github.ref == 'refs/heads/main' }}
      - uses: ilammy/setup-nasm@v1
        if: runner.os == 'Windows'
      - uses: actions/setup-go@v4
        with:
          go-version: '>=1.18'
      - uses: seanmiddleditch/gha-setup-ninja@master
        if: runner.os == 'Windows'
      - run: |
          echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append
          vcpkg install openssl:x64-windows-static-md sqlite3:x64-windows-static-md
          echo "OPENSSL_DIR=C:/vcpkg/packages/openssl_x64-windows-static-md" | Out-File -FilePath $env:GITHUB_ENV -Append
          curl -o C:/cacert.pem https://curl.se/ca/cacert.pem
          echo "SSL_CERT_FILE=C:/cacert.pem" | Out-File -FilePath $env:GITHUB_ENV -Append
        if: runner.os == 'Windows'
      - name: Test Async Full RFC
        run: cargo test --lib --test '*' --verbose --features test_util -p mls-rs
      - name: Test Async Bare Bones
        run: cargo test --no-default-features --lib --test '*' --features std,test_util --verbose -p mls-rs
  LintAndFormatting:
    runs-on: ubuntu-latest
     # TODO remove after AWS-LC FIPS bindings for Kyber are fixed
    env:
      AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: '1'
    steps:
      - uses: actions/checkout@v3
      - uses: arduino/setup-protoc@v2
        with:
          version: "25.x"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          save-if: ${{ github.ref == 'refs/heads/main' }}
      - uses: actions/setup-go@v4
        with:
          go-version: '>=1.18'
      - uses: seanmiddleditch/gha-setup-ninja@master
      # TODO remove after AWS-LC FIPS bindings for Kyber are fixed
      - name: Install bindgen-cli
        run: cargo install --force --locked bindgen-cli
      - name: Rust Fmt
        run: cargo fmt --all -- --check
      - name: Clippy Full RFC Compliance
        run: cargo clippy --all-targets --all-features --workspace -- -D warnings
      - name: Clippy Bare Bones
        run: cargo clippy --all-targets --no-default-features --features std,test_util,non-fips --workspace -- -D warnings
  LintAndFormattingMacOS:
    # XXX(RLB): It would be good to just use macos-latest here, but
    # apparently if you do that, sometimes you get an older (not latest)
    # version.  And we require v14 in order to build the CryptoKit provider.
    runs-on: macos-14
    steps: 
      - uses: actions/checkout@v3
      - uses: arduino/setup-protoc@v2
        with:
          version: "25.x"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          save-if: ${{ github.ref == 'refs/heads/main' }}
      - name: Rust Fmt
        run: cargo fmt -p mls-rs-crypto-cryptokit -- --check
      - name: Clippy
        run: cargo clippy -p mls-rs-crypto-cryptokit -- -D warnings
  CodeCoverage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: dtolnay/rust-toolchain@nightly
      - uses: Swatinem/rust-cache@v2
        with:
          save-if: ${{ github.ref == 'refs/heads/main' }}
      - name: Setup code coverage
        run: cargo install cargo-llvm-cov
      - name: Run code coverage
        # Using `cargo llvm-cov show-env` lets us capture coverage
        # information from Python integration tests.
        run: |
          source <(cargo llvm-cov show-env --export-prefix)
          cargo llvm-cov clean --workspace
          cargo test --features "test_util"
          cargo llvm-cov report --lcov --output-path lcov.info
      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@v3
        with:
          files: lcov.info
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}