-
Notifications
You must be signed in to change notification settings - Fork 0
288 lines (232 loc) · 8.91 KB
/
Copy pathbundle-push.yml
File metadata and controls
288 lines (232 loc) · 8.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
name: Bundle Push
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
version:
description: "Version to bundle (e.g., v1.0.0)"
required: true
default: "v0.1.0"
jobs:
create-bundle:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Lean 4
uses: leanprover/lean-action@v1
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
.lake
key: ${{ runner.os }}-bundle-${{ hashFiles('lakefile.lean', 'src/rust/guardd/Cargo.toml') }}
restore-keys: |
${{ runner.os }}-bundle-
- name: Build components
run: |
echo "Building Lean components..."
lake build
echo "Building Rust components..."
cargo build --release --manifest-path src/rust/guardd/Cargo.toml
- name: Create bundle
run: |
echo "Creating Model Asset Guard bundle..."
# Determine version
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${GITHUB_REF#refs/tags/}"
fi
echo "Creating bundle for version: $VERSION"
# Create bundle directory
BUNDLE_DIR="model-asset-guard-$VERSION"
mkdir -p "$BUNDLE_DIR"
# Copy specification files
echo "Copying specification files..."
mkdir -p "$BUNDLE_DIR/Spec"
cp src/lean/ModelAssetGuard/Weights.lean "$BUNDLE_DIR/Spec/" 2>/dev/null || echo "Weights.lean not found"
cp src/lean/ModelAssetGuard/Quant/Core.lean "$BUNDLE_DIR/Spec/" 2>/dev/null || echo "Core.lean not found"
cp src/lean/ModelAssetGuard/Quant/LayerBound.lean "$BUNDLE_DIR/Spec/" 2>/dev/null || echo "LayerBound.lean not found"
cp src/lean/ModelAssetGuard/Token/Tokenizer.lean "$BUNDLE_DIR/Spec/" 2>/dev/null || echo "Tokenizer.lean not found"
# Copy bindings
echo "Copying language bindings..."
mkdir -p "$BUNDLE_DIR/bindings"
cp bindings/python/pytorch_guard.py "$BUNDLE_DIR/bindings/" 2>/dev/null || echo "pytorch_guard.py not found"
cp bindings/nodejs/node_guard.js "$BUNDLE_DIR/bindings/" 2>/dev/null || echo "node_guard.js not found"
# Copy Rust library
echo "Copying Rust library..."
mkdir -p "$BUNDLE_DIR/guardd"
if [ -f "src/rust/guardd/target/release/libguardd.so" ]; then
cp src/rust/guardd/target/release/libguardd.so "$BUNDLE_DIR/guardd/"
elif [ -f "src/rust/guardd/target/release/guardd.dll" ]; then
cp src/rust/guardd/target/release/guardd.dll "$BUNDLE_DIR/guardd/"
elif [ -f "src/rust/guardd/target/release/libguardd.dylib" ]; then
cp src/rust/guardd/target/release/libguardd.dylib "$BUNDLE_DIR/guardd/"
else
echo "Warning: No Rust library found"
fi
# Copy configuration files
echo "Copying configuration files..."
cp lakefile.lean "$BUNDLE_DIR/"
cp lean-toolchain "$BUNDLE_DIR/"
cp LICENSE "$BUNDLE_DIR/"
# Generate Lean kernel hash
echo "Generating Lean kernel hash..."
KERNEL_HASH=$(lake exe lean --version 2>/dev/null | head -1 | sha256sum | cut -d' ' -f1)
echo "$KERNEL_HASH" > "$BUNDLE_DIR/lean-hash.txt"
# Create bundle README
cat > "$BUNDLE_DIR/README.md" << EOF
# Model Asset Guard Bundle v$VERSION
This bundle contains the verified components of the Model Asset Guard system.
## Contents
- \`Spec/\` - Lean specification files with formal proofs
- \`guardd/\` - Rust sidecar library for high-performance validation
- \`bindings/\` - Python and Node.js bindings
- \`lean-hash.txt\` - Lean kernel hash for verification
## Verification
To verify this bundle:
1. Check the Lean kernel hash:
\`\`\`bash
lake exe lean --version | head -1 | sha256sum
\`\`\`
Compare with the contents of \`lean-hash.txt\`
2. Build and test the components:
\`\`\`bash
lake build
lake exe tests
cargo test --manifest-path src/rust/guardd/Cargo.toml
\`\`\`
## License
MIT License - see LICENSE file for details.
EOF
# Create bundle archive
BUNDLE_NAME="model-asset-guard-$VERSION.zip"
echo "Creating bundle archive: $BUNDLE_NAME"
zip -r "$BUNDLE_NAME" "$BUNDLE_DIR"
# Generate SHA-256 of bundle
BUNDLE_SHA256=$(sha256sum "$BUNDLE_NAME" | cut -d' ' -f1)
echo "Bundle SHA-256: $BUNDLE_SHA256"
# Create release info
cat > "release-info.txt" << EOF
Model Asset Guard Bundle
Version: $VERSION
Date: $(date)
Bundle: $BUNDLE_NAME
SHA-256: $BUNDLE_SHA256
Kernel Hash: $KERNEL_HASH
EOF
echo "Bundle created successfully!"
echo "Bundle: $BUNDLE_NAME"
echo "SHA-256: $BUNDLE_SHA256"
# Cleanup
rm -rf "$BUNDLE_DIR"
- name: Upload bundle artifact
uses: actions/upload-artifact@v4
with:
name: model-asset-guard-bundle-${{ github.sha }}
path: |
model-asset-guard-*.zip
release-info.txt
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
path: .
output-file: sbom.spdx.json
format: spdx-json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}
path: sbom.spdx.json
publish-release:
needs: create-bundle
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download bundle artifact
uses: actions/download-artifact@v4
with:
name: model-asset-guard-bundle-${{ github.sha }}
path: ./bundles
- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
files: |
bundles/model-asset-guard-*.zip
bundles/release-info.txt
body: |
## Model Asset Guard v${{ github.ref_name }}
This release includes:
- ✅ Formal verification of all specifications
- ✅ High-performance Rust sidecar library
- ✅ Python and Node.js bindings
- ✅ Comprehensive test suite
- ✅ Bit-flip corpus validation
- ✅ Quantization error bounds with 128-vector verification
- ✅ Perfect hash tokenizer implementation
### Verification
To verify this release:
1. Check the Lean kernel hash in `lean-hash.txt`
2. Run `lake build && lake exe tests`
3. Run `cargo test --manifest-path guardd/Cargo.toml`
### Installation
Extract the bundle and follow the README for integration instructions.
### SHA-256
```
$(cat bundles/release-info.txt | grep SHA-256 | cut -d' ' -f2)
```
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-to-registry:
needs: create-bundle
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download bundle artifact
uses: actions/download-artifact@v4
with:
name: model-asset-guard-bundle-${{ github.sha }}
path: ./bundles
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install Python dependencies
run: |
pip install build twine
- name: Build Python package
run: |
cd bindings/python
python -m build
- name: Publish to PyPI
if: github.ref == 'refs/tags/main'
run: |
cd bindings/python
python -m twine upload dist/* --username __token__ --password ${{ secrets.PYPI_TOKEN }}
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
- name: Publish to Test PyPI
if: github.ref != 'refs/tags/main'
run: |
cd bindings/python
python -m twine upload --repository testpypi dist/* --username __token__ --password ${{ secrets.TEST_PYPI_TOKEN }}
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}