Add security report alpha target #62
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # determinism.yml — nightly + contract-change PRs (plan §9). | |
| # Gate Zero platforms first (macOS arm64 + Linux x64); Windows x64 runs a Milestone B | |
| # preflight lane. Unresolved Windows divergence blocks or re-scopes Public Beta. | |
| # Determinism failures are NEVER retried into green — a flaky fingerprint IS the bug. | |
| name: determinism | |
| on: | |
| schedule: | |
| - cron: "17 3 * * *" # nightly | |
| pull_request: | |
| types: [opened, synchronize, labeled] | |
| workflow_dispatch: | |
| jobs: | |
| cross-platform: | |
| if: >- | |
| github.event_name != 'pull_request' || | |
| contains(github.event.pull_request.labels.*.name, 'contract-change') | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # macOS arm64 + Linux x64 are the Gate Zero platforms. Windows x64 is a | |
| # Milestone B preflight lane and only runs PDFium-backed corpus work when | |
| # the pinned runtime is explicitly configured on that runner. | |
| os: [macos-14, ubuntu-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| # The contract vectors pin exact c14n bytes + sha256 per platform: every platform | |
| # asserting the same pinned hashes IS cross-platform byte equality for the | |
| # serialization layer. Corpus-level fingerprint comparison joins when the engine | |
| # parses the frozen manifest (WS-ENGINE + WS-HARNESS). | |
| - run: cargo test --locked -p ethos-core --all-features | |
| - name: full-corpus fingerprint equality | |
| shell: bash | |
| run: | | |
| if [ -n "${ETHOS_PDFIUM_LIBRARY_PATH:-}" ] && [ -f "${ETHOS_PDFIUM_LIBRARY_PATH:-}" ]; then | |
| make -C benchmarks/harness fixtures | |
| else | |
| echo "skipped: pinned PDFium runtime is not configured on this runner" | |
| fi |