Skip to content

ci: security workflows (codeql/scorecard/zizmor) + canonicalize idempotence fix#22

Merged
kingchenc merged 3 commits into
mainfrom
ci/proof-security-workflows
Jul 10, 2026
Merged

ci: security workflows (codeql/scorecard/zizmor) + canonicalize idempotence fix#22
kingchenc merged 3 commits into
mainfrom
ci/proof-security-workflows

Conversation

@kingchenc

@kingchenc kingchenc commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Adds the three security workflows (codeql/scorecard/zizmor), SHA-pinned and least-privilege, mirroring the other Wickra repos.

While this PR ran, the fuzz-smoke job surfaced a second canonicalize idempotence break (input 44447444.444..., ~4.5e7) — the round_to binary quantization grid disagrees with the {:.8} decimal grid right where the f64 ULP meets 1e-8. Fixed in the same PR: drop round_to and quantize purely by decimal rounding (a fixed point below 2^52*1e-8), falling back to the shortest round-trippable Display form above that magnitude. Golden report/inputs hashes are unchanged; the fuzz-found inputs are pinned as regressions.

Static analysis + supply-chain posture, mirroring the other Wickra repos:
- codeql.yml — CodeQL over the Rust core and the Python / JavaScript-TypeScript
  binding surfaces (build-mode none), on push/PR/weekly.
- scorecard.yml — OpenSSF Scorecard on push-to-main / weekly / branch-protection
  changes; publishes to the public OpenSSF API for the README badge.
- zizmor.yml — report-only audit of the workflow files themselves (template
  injection, token scope, unpinned actions); findings surface in the Security tab.

All actions are SHA-pinned; least-privilege GITHUB_TOKEN with per-job scope
widening.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

…nary grid

A second canonicalize fuzz input (`44447444.444...`, ~4.5e7) still broke the
fixed-point invariant after the first fix. Root cause: the `round_to` binary
grid `(x*1e8).round()/1e8` and the `{:.8}` decimal grid disagree exactly where
the f64 ULP meets 1e-8, so canonicalize -> parse -> canonicalize drifted.

Drop `round_to` entirely and quantize purely by `{:.8}` decimal rounding, which
is a fixed point while the 1e-8 grid stays coarser than the ULP (|x| < 2^52*1e-8
~ 4.5e7). At or above that limit the grid is finer than f64 can represent, so
emit the shortest round-trippable Display form instead. Combined with
serde_json's float_roundtrip parser this is idempotent across the whole finite
f64 range; the fuzz-found 44447444.444... and 5e55 are pinned as regressions.

Golden report/inputs hashes are unchanged — real report values are far below the
grid limit, where decimal rounding matches the old binary rounding exactly.
@kingchenc kingchenc changed the title ci: CodeQL + Scorecard + zizmor security workflows ci: security workflows (codeql/scorecard/zizmor) + canonicalize idempotence fix Jul 10, 2026
…idempotent

A tiny negative such as -1e-9 formats as -0.00000000 under {:.8}, trims
to -0, and re-parses to -0.0 -> 0. The first canonicalization pass then
emitted -0 and the second 0, breaking the fixed-point property the moat
depends on. Drop the sign whenever the rounded value is zero, and pin it
with rounds-to-zero regression cases (found by the canonicalize fuzz
target on an input near -3.39e-339).
@kingchenc kingchenc merged commit ca4131e into main Jul 10, 2026
52 checks passed
@kingchenc kingchenc deleted the ci/proof-security-workflows branch July 10, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants