Files
secs-gem/.gitea/workflows/ci.yml
T
raphael fc3422a4a9 docs: move root .md files into docs/ + update every reference
Picks up the file renames that landed alongside the previous commit
and fixes everything that pointed at the old root locations:

- README.md doc-map updated: every entry now points at docs/X.md,
  with a new "docs/" lead entry pointing at the guided-tour index.
- README inline cross-refs (ARCHITECTURE / INTEGRATION / SECURITY /
  BENCHMARKS / MES_INTEROP / PROOFS) repointed to docs/.
- README "Interop" section rewritten — used to mention only
  secsgem-py; now covers all four external validators (secsgem-py
  31 / secs4java8 55 / tshark 69 frames / libFuzzer 200 k+ runs)
  with a one-line summary each, plus pointers to interop/README.md
  and docs/VERIFICATION.md.
- README "Deferred follow-ups" cleaned: dropped the explanatory
  "Listed here so reviewers don't go looking for them in
  COMPLIANCE.md and find an 'out of scope' entry that sounds
  defensive" sentence — the section header speaks for itself.
- docs/00_index.md "Where the rest of the docs live" table: dropped
  every `../` prefix since the docs are now siblings.
- docs/01_what_is_secs_gem.md PROOFS reference updated to sibling.
- docs/02_the_cast.md INTEGRATION + MES_INTEROP refs updated to
  siblings; dropped the stale "at the repo root" wording.
- interop/README.md: VERIFICATION + PROOFS refs updated to
  ../docs/X.md; stale "~24 + 4 checks" updated to 31 (matches
  PROOFS.md and README).
- examples/pvd_tool/README.md: every doc cross-ref now points at
  ../../docs/X.md.
- Source / data / CI comments mentioning doc names (e.g.
  "INTEGRATION.md §3", "COMPLIANCE.md gap") rewritten to
  "docs/INTEGRATION.md §3" etc. — affects 9 files across
  include/, apps/, tests/, data/, examples/, .gitea/workflows/.

Verified: full build under docker passes, 445/445 test cases pass,
2 753/2 753 assertions pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-09 19:36:27 +02:00

221 lines
7.4 KiB
YAML

name: tests
on:
push:
branches: [main]
pull_request:
jobs:
build-and-test:
runs-on: ubuntu-latest
container:
image: ubuntu:24.04
steps:
# actions/checkout@v4 is a Node-based action; the bare ubuntu:24.04
# runner image has no node, so checkout fails with
# `exitcode '127': command not found`. Install node + git BEFORE
# checkout, then install the rest of the toolchain after.
- name: Bootstrap (node + git for actions/checkout)
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
git \
ca-certificates \
nodejs
- uses: actions/checkout@v4
- name: Install C++ toolchain
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends \
build-essential \
cmake \
ninja-build \
libasio-dev \
libyaml-cpp-dev \
python3 \
python3-yaml
- name: Configure (Release)
run: cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
- name: Build (Release)
run: cmake --build build
- name: Unit tests (Release)
run: build/secsgem_tests
thread-sanitizer:
runs-on: ubuntu-latest
container:
image: ubuntu:24.04
steps:
- name: Bootstrap (node + git for actions/checkout)
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
git ca-certificates nodejs
- uses: actions/checkout@v4
- name: Install C++ toolchain
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends \
build-essential cmake ninja-build \
libasio-dev libyaml-cpp-dev \
python3 python3-yaml
# Debug + -fsanitize=thread. Catches data races in the
# io_context strand contract documented in docs/INTEGRATION.md §3.
# halt_on_error=1 makes TSan-flagged races fail the job, not
# just print a warning.
- name: Configure (TSan)
run: cmake -S . -B build-tsan -G Ninja
-DCMAKE_BUILD_TYPE=Debug
-DSECSGEM_TSAN=ON
- name: Build (TSan)
run: cmake --build build-tsan
- name: Unit tests (TSan)
env:
TSAN_OPTIONS: halt_on_error=1
run: build-tsan/secsgem_tests
tshark-dissector:
runs-on: ubuntu-latest
container:
image: ubuntu:24.04
steps:
- name: Bootstrap (node + git for actions/checkout)
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
git ca-certificates nodejs
- uses: actions/checkout@v4
- name: Install C++ toolchain + tshark
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends \
build-essential cmake ninja-build \
libasio-dev libyaml-cpp-dev \
python3 python3-yaml \
tshark tcpdump
- name: Build
run: |
cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
cmake --build build
# Capture pcap of the demo flow, dissect with Wireshark's HSMS
# dissector (independent third codec), assert no malformed
# packets and that every expected control + data frame parses.
- name: tshark HSMS dissector validation
run: bash interop/tshark_validate.sh
env:
PORT: "5099"
secs4j-interop:
runs-on: ubuntu-latest
# secs4j-interop builds its own docker image (with JDK) and starts
# secs_server via docker compose; needs the docker socket, which
# is why this job runs on the bare runner rather than inside a
# `container:` like the other jobs.
#
# The bare runner image varies across deployments — catthehacker
# provides apt-get, but some gitea-act runners use a minimal node
# image with no package manager. The bootstrap step detects what
# it has (apt-get / apk / nothing) and only installs missing
# pieces; node + git are usually already present so actions/checkout
# can run.
steps:
- name: Bootstrap (node + git + docker CLI if missing)
run: |
set -e
need_git=0; need_node=0; need_docker=0
command -v git >/dev/null || need_git=1
command -v node >/dev/null || need_node=1
command -v docker >/dev/null || need_docker=1
if [ "$need_git$need_node$need_docker" = "000" ]; then
echo "runner image already has git/node/docker — skipping install"
exit 0
fi
if command -v apt-get >/dev/null; then
export DEBIAN_FRONTEND=noninteractive
apt-get update
pkgs=""
[ "$need_git" = "1" ] && pkgs="$pkgs git ca-certificates"
[ "$need_node" = "1" ] && pkgs="$pkgs nodejs"
[ "$need_docker" = "1" ] && pkgs="$pkgs docker.io docker-compose-plugin"
apt-get install -y --no-install-recommends $pkgs
elif command -v apk >/dev/null; then
pkgs=""
[ "$need_git" = "1" ] && pkgs="$pkgs git ca-certificates"
[ "$need_node" = "1" ] && pkgs="$pkgs nodejs"
[ "$need_docker" = "1" ] && pkgs="$pkgs docker docker-cli-compose"
apk add --no-cache $pkgs
else
echo "no apt-get or apk — runner image has no package manager"
echo "need: git=$need_git node=$need_node docker=$need_docker"
exit 1
fi
- uses: actions/checkout@v4
# Cross-validate against secs4java8 (Apache 2.0, kenta-shimizu) —
# an independent SECS implementation in Java. 55 checks
# covering S1/S2/S3/S5/S6/S7/S10/S14/S16 with full-body GEM 300
# shapes that secsgem-py couldn't easily drive.
- name: secs4j cross-validation
run: bash interop/secs4j_validate.sh
libfuzzer:
runs-on: ubuntu-latest
container:
image: ubuntu:24.04
steps:
- name: Bootstrap (node + git)
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
git ca-certificates nodejs
- uses: actions/checkout@v4
- name: Install clang + libFuzzer runtime
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends \
cmake ninja-build \
libasio-dev libyaml-cpp-dev \
python3 python3-yaml \
clang libclang-rt-18-dev
- name: Configure (fuzz)
env:
CC: clang
CXX: clang++
run: cmake -S . -B build-fuzz -G Ninja
-DCMAKE_BUILD_TYPE=Debug
-DSECSGEM_FUZZ=ON
- name: Build fuzz targets
run: cmake --build build-fuzz --target fuzz_secs2_decode fuzz_sml_parse
# 60 seconds each — long enough for libFuzzer to explore the
# decoder/parser without ballooning CI time. Any crash, ASan
# report, or UBSan flag fails the job.
- name: Fuzz secs2::decode
run: build-fuzz/fuzz_secs2_decode -max_total_time=60 -max_len=4096
- name: Fuzz secs2::try_parse_sml
run: build-fuzz/fuzz_sml_parse -max_total_time=60 -max_len=4096