From 191be669b1ded788ef036d9c3bfa4a0ef6012493 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 15:53:51 +0000 Subject: [PATCH 1/2] Bump aws-actions/configure-aws-credentials from 6.1.0 to 6.2.0 Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/ec61189d14ec14c8efccab744f656cffd0e33f37...e7f100cf4c008499ea8adda475de1042d6975c7b) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/bench_ec2_reusable.yml | 4 ++-- .github/workflows/ci_ec2_container.yml | 4 ++-- .github/workflows/ci_ec2_reusable.yml | 4 ++-- .github/workflows/integration-pavona.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/bench_ec2_reusable.yml b/.github/workflows/bench_ec2_reusable.yml index a723da337..be061b450 100644 --- a/.github/workflows/bench_ec2_reusable.yml +++ b/.github/workflows/bench_ec2_reusable.yml @@ -106,7 +106,7 @@ jobs: echo "Using AMI ID: $AMI_ID" echo "AMI_ID=$AMI_ID" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ inputs.aws_region }} @@ -224,7 +224,7 @@ jobs: if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/ci_ec2_container.yml b/.github/workflows/ci_ec2_container.yml index 906bd1b6e..d0f820731 100644 --- a/.github/workflows/ci_ec2_container.yml +++ b/.github/workflows/ci_ec2_container.yml @@ -97,7 +97,7 @@ jobs: echo "Using AMI ID: $AMI_ID" echo "AMI_ID=$AMI_ID" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} @@ -210,7 +210,7 @@ jobs: if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/ci_ec2_reusable.yml b/.github/workflows/ci_ec2_reusable.yml index 5f8f20011..88aca09b1 100644 --- a/.github/workflows/ci_ec2_reusable.yml +++ b/.github/workflows/ci_ec2_reusable.yml @@ -107,7 +107,7 @@ jobs: echo "Using AMI ID: $AMI_ID" echo "AMI_ID=$AMI_ID" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} @@ -236,7 +236,7 @@ jobs: if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/integration-pavona.yml b/.github/workflows/integration-pavona.yml index 5c6537494..0314c16e1 100644 --- a/.github/workflows/integration-pavona.yml +++ b/.github/workflows/integration-pavona.yml @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} @@ -112,7 +112,7 @@ jobs: if: ${{ always() && needs.start-ec2-runner.result != 'skipped' }} # required to stop the runner even if errors occur steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ env.AWS_ROLE }} aws-region: ${{ env.AWS_REGION }} From b318723ccd3bddcd39ab8c3e6e5584575ecf666e Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Wed, 3 Jun 2026 10:32:14 +0800 Subject: [PATCH 2/2] CI: Bump AWS-LC, liboqs, and pavona integration pins AWS-LC v1.72.0 -> v5.0.0, liboqs to main (2026-05-27), pavona to main (2026-06-01). The pavona bump drops the polyvec_lazy and work-buffer patches, now carried upstream. Signed-off-by: Matthias J. Kannwischer --- .github/workflows/all.yml | 2 +- .github/workflows/integration-liboqs.yml | 2 +- .github/workflows/integration-pavona.yml | 2 +- integration/pavona/add_polyvec_lazy.patch | 15 ----------- integration/pavona/reduce_alloc.patch | 32 ----------------------- 5 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 integration/pavona/add_polyvec_lazy.patch delete mode 100644 integration/pavona/reduce_alloc.patch diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 289c95460..350fff2d4 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -74,7 +74,7 @@ jobs: needs: [ base ] uses: ./.github/workflows/integration-awslc.yml with: - commit: v1.72.0 + commit: v5.0.0 secrets: inherit ct-test: name: Constant-time diff --git a/.github/workflows/integration-liboqs.yml b/.github/workflows/integration-liboqs.yml index a0589985b..d53e60358 100644 --- a/.github/workflows/integration-liboqs.yml +++ b/.github/workflows/integration-liboqs.yml @@ -41,7 +41,7 @@ jobs: packages: 'cmake python3-jinja2 python3-tabulate python3-git python3-pytest valgrind' - uses: ./.github/actions/setup-oqs with: - commit: 'd8509387febc9e32466c86aab544d225d60c8e3c' # main (2026-04-21) + commit: 'f986aea60a9f3cb4055474aa212538bb0b14f1fe' # main (2026-05-27) gh_token: ${{ secrets.GITHUB_TOKEN }} repository: 'open-quantum-safe/liboqs' - name: Apply patch diff --git a/.github/workflows/integration-pavona.yml b/.github/workflows/integration-pavona.yml index 0314c16e1..bc088f7ea 100644 --- a/.github/workflows/integration-pavona.yml +++ b/.github/workflows/integration-pavona.yml @@ -61,7 +61,7 @@ jobs: - uses: ./.github/actions/setup-pavona with: pavona-repository: https://github.com/pavona/pavona - pavona-commit: release/2026.05.p0 + pavona-commit: 96b8bca4c1025e3b599b53b912ed6afc5a098115 # main (2026-06-01) - name: Patch mldsa-native dependency run: | diff --git a/integration/pavona/add_polyvec_lazy.patch b/integration/pavona/add_polyvec_lazy.patch deleted file mode 100644 index d3898adf0..000000000 --- a/integration/pavona/add_polyvec_lazy.patch +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright (c) The mldsa-native project authors -# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT -diff --git a/third_party/mldsa_native/BUILD.mldsa_native.bazel b/third_party/mldsa_native/BUILD.mldsa_native.bazel -index 8a63d09..1c576c2 100644 ---- a/third_party/mldsa_native/BUILD.mldsa_native.bazel -+++ b/third_party/mldsa_native/BUILD.mldsa_native.bazel -@@ -26,6 +26,8 @@ cc_library( - "mldsa/src/poly_kl.h", - "mldsa/src/polyvec.c", - "mldsa/src/polyvec.h", -+ "mldsa/src/polyvec_lazy.c", -+ "mldsa/src/polyvec_lazy.h", - "mldsa/src/reduce.h", - "mldsa/src/rounding.h", - "mldsa/src/sign.c", diff --git a/integration/pavona/reduce_alloc.patch b/integration/pavona/reduce_alloc.patch deleted file mode 100644 index 5ea951e09..000000000 --- a/integration/pavona/reduce_alloc.patch +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright (c) The mldsa-native project authors -# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT -diff --git a/sw/device/lib/crypto/include/mldsa.h b/sw/device/lib/crypto/include/mldsa.h ---- a/sw/device/lib/crypto/include/mldsa.h -+++ b/sw/device/lib/crypto/include/mldsa.h -@@ -41,17 +41,17 @@ enum { - kOtcryptoMldsa87SeedBytes = 32, - - // Work buffer sizes in 32-bit words -- kOtcryptoMldsa44WorkBufferKeypairWords = 32992 / sizeof(uint32_t), -- kOtcryptoMldsa44WorkBufferSignWords = 32448 / sizeof(uint32_t), -- kOtcryptoMldsa44WorkBufferVerifyWords = 22464 / sizeof(uint32_t), -+ kOtcryptoMldsa44WorkBufferKeypairWords = 11584 / sizeof(uint32_t), -+ kOtcryptoMldsa44WorkBufferSignWords = 13120 / sizeof(uint32_t), -+ kOtcryptoMldsa44WorkBufferVerifyWords = 9120 / sizeof(uint32_t), - -- kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t), -- kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t), -- kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t), -+ kOtcryptoMldsa65WorkBufferKeypairWords = 14656 / sizeof(uint32_t), -+ kOtcryptoMldsa65WorkBufferSignWords = 17248 / sizeof(uint32_t), -+ kOtcryptoMldsa65WorkBufferVerifyWords = 10208 / sizeof(uint32_t), - -- kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t), -- kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t), -- kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t), -+ kOtcryptoMldsa87WorkBufferKeypairWords = 18752 / sizeof(uint32_t), -+ kOtcryptoMldsa87WorkBufferSignWords = 21344 / sizeof(uint32_t), -+ kOtcryptoMldsa87WorkBufferVerifyWords = 12512 / sizeof(uint32_t), - }; - - /**