sparrowwallet/UltrafastSecp256k1
sparrowwallet/UltrafastSecp256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
UltrafastSecp256k1/scripts/ci-local.sh
Vano Chkheidze 1609bec6f5
fix(opencl,ci): OpenCL 6-bug fix (27/27 PASS), dead code removal, Scorecard .sigstore (#133) 
* chore: remove dead SIMD/FE52-ARM64 code, add edge-case tests

Remove 4 dead-code files that are never compiled on any active platform:
- cpu/include/secp256k1/field_simd.hpp (169 lines)
- cpu/src/field_asm52_arm64.cpp (254 lines)
- cpu/src/field_simd.cpp (130 lines)
- cpu/tests/test_simd_batch.cpp (220 lines)

Replace test_simd_batch with test_edge_cases (60 tests covering scalar
zero, infinity arithmetic, BIP-32 IL>=n, cache corruption, and other
coverage gaps identified in CT Hardening Gap analysis).

Update CMakeLists.txt for cpu, audit, and esp32_audit to reflect removal
and replacement. All 31 ctest targets pass.

* fix(opencl): fix 6 bugs in OpenCL kernels -- 27/27 audit PASS

Root cause: NC constant typo in secp256k1_extended.cl -- 0x402DA1732FC9BEEF
should be 0x402DA1732FC9BEBF (off by 0x30). This single hex digit error
corrupted ALL scalar mod-n operations, causing scalar_inverse to fail,
which broke ECDSA and Schnorr verify.

Bug #1: Kernel name mismatch in opencl_context.cpp -- batch_jacobian_to_affine
        vs batch_jacobian_to_affine_kernel.
Bug #2: Cross-program pubkey inconsistency -- host computed pubkey via embedded
        kernel (PTX, correct) but verify ran in extended kernel (different field
        arithmetic). Added ext_generator_mul() helper using extended kernel's
        generator_mul_windowed for consistency.
Bug #3: Schnorr pubkey -- get_schnorr_pubkey_x() now uses ext_generator_mul().
Bug #4: scalar_mul_mod_n_impl -- Barrett reduction completely broken. Rewritten
        with 2^256 = NC (mod n) reduction: 3 passes + scalar_cond_sub_n x3.
Bug #5: field_mul_impl/field_sqr_impl -- carry overflow in schoolbook multiply.
        Rewritten with column-based muladd/muladd2 3-register accumulator.
Bug #6: NC constant typo (THE ROOT CAUSE) -- BEEF vs BEBF.

OpenCL audit result: 27/27 PASS, AUDIT-READY (0.7s on RTX 5060 Ti).

* ci(scorecard): rename cosign .bundle to .sigstore for OSSF recognition

OSSF Scorecard Signed-Releases check does not recognize .bundle extension.
Rename all cosign output from .bundle to .sigstore (standard Sigstore
extension) so Scorecard can detect signed artifacts.

Also extend attest-build-provenance subject-path to include .gem, .jar,
.deb, and .rpm package formats for complete SLSA provenance coverage.

* fix(ci): pass -T to docker-compose run in non-interactive contexts

The pre-push hook runs ci-local.sh branch-gate without a TTY, causing
docker-compose run to fail with 'the input device is not a TTY'.
Detect non-interactive stdin and pass -T flag automatically.

---------

Co-authored-by: shrec <shrec@users.noreply.github.com>
2026-03-09 17:23:32 +04:00

159 lines
4.2 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# =============================================================================
# Convenience wrapper for local Docker CI with GitHub-parity presets.
# =============================================================================
# Usage:
# ./scripts/ci-local.sh quick
# ./scripts/ci-local.sh pre-push
# ./scripts/ci-local.sh gh-parity
# ./scripts/ci-local.sh all
# ./scripts/ci-local.sh dev-gate
# ./scripts/ci-local.sh main-gate
# ./scripts/ci-local.sh branch-gate
# ./scripts/ci-local.sh install-hook
# ./scripts/ci-local.sh <service-name>
#
# Optional:
# ./scripts/ci-local.sh --build gh-parity
# ./scripts/ci-local.sh --list
# =============================================================================
set -euo pipefail
repo_root="$(cd "$(dirname "$0")/.." && pwd)"
compose_file="$repo_root/docker-compose.ci.yml"
run_ci="$repo_root/docker/run_ci.sh"
build_first=0
detect_compose() {
if docker compose version >/dev/null 2>&1; then
echo "docker compose"
return
fi
if command -v docker-compose >/dev/null 2>&1; then
echo "docker-compose"
return
fi
echo "ERROR: neither 'docker compose' nor 'docker-compose' is available." >&2
exit 1
}
usage() {
cat <<'EOF'
Local CI wrapper
Commands:
quick Fast smoke (GCC Release + WASM)
pre-push Pre-push gate
gh-parity Max Linux parity with GitHub blockers
dev-gate Balanced gate before push to dev
main-gate Release-grade gate before push to main
branch-gate Auto-select gate by current branch (main=main-gate, else dev-gate)
install-hook Install git pre-push hook that runs branch-gate
strict-audit Zero advisory tolerance in unified audit
strict-perf Fail on any head-to-head lag (<1.00x)
no-surprise Strict end-to-end gate (recommended before release)
x86-full Full x86 unified audit + full benchmark reports
all Full local CI suite
<service> Any service from docker-compose.ci.yml
Options:
--build Build ci-base image first
--list List available services
-h, --help Show this help
EOF
}
if [ $# -eq 0 ]; then
usage
exit 1
fi
target=""
while [ $# -gt 0 ]; do
case "$1" in
--build)
build_first=1
shift
;;
--list)
target="__list__"
shift
;;
-h|--help)
usage
exit 0
;;
*)
if [ -n "$target" ]; then
echo "ERROR: multiple targets provided ('$target' and '$1')." >&2
exit 1
fi
target="$1"
shift
;;
esac
done
if [ ! -f "$compose_file" ]; then
echo "ERROR: missing $compose_file" >&2
exit 1
fi
if [ ! -x "$run_ci" ]; then
chmod +x "$run_ci"
fi
compose_cmd="$(detect_compose)"
if [ "$target" = "__list__" ]; then
(cd "$repo_root" && $compose_cmd -f docker-compose.ci.yml config --services)
exit 0
fi
if [ -z "$target" ]; then
echo "ERROR: missing target. Use --help." >&2
exit 1
fi
if [ "$target" = "install-hook" ]; then
git_dir="$(cd "$repo_root" && git rev-parse --git-dir 2>/dev/null || true)"
if [ -z "$git_dir" ]; then
echo "ERROR: not a git repository: $repo_root" >&2
exit 1
fi
if [ "${git_dir#/}" != "$git_dir" ]; then
hook_path="$git_dir/hooks/pre-push"
else
hook_path="$repo_root/$git_dir/hooks/pre-push"
fi
mkdir -p "$(dirname "$hook_path")"
cat > "$hook_path" <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail
repo_root="$(git rev-parse --show-toplevel)"
cd "$repo_root"
echo "[pre-push] running local branch gate..."
./scripts/ci-local.sh branch-gate
HOOK
chmod +x "$hook_path"
echo "Installed pre-push hook at: $hook_path"
echo "Hook behavior: runs './scripts/ci-local.sh branch-gate' before every push."
exit 0
fi
if [ "$build_first" -eq 1 ]; then
(cd "$repo_root" && $compose_cmd -f docker-compose.ci.yml build ci-base)
fi
# Pass -T when stdin is not a terminal (e.g. git pre-push hook)
tty_flag=""
if [ ! -t 0 ]; then
tty_flag="-T"
fi
(cd "$repo_root" && $compose_cmd -f docker-compose.ci.yml run --rm $tty_flag "$target")
Reference in New Issue View Git Blame Copy Permalink