build: adopt Nix for reproducible builds

Author: Manuthor

.github/copilot-instructions.md

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -x
+
+# SQLite tests - always available, runs on filesystem
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+source "$SCRIPT_DIR/common.sh"
+
+init_build_env "$@"
+setup_test_logging
+setup_fips_openssl_env
+
+# Ensure required tools are available when running outside Nix
+require_cmd cargo "Cargo is required to build and run tests. Install Rust (rustup) and retry."
+
+echo "========================================="
+echo "Benchmarks tests"
+echo "========================================="
+
+echo "Building benchmarks..."
+cargo bench "${FEATURES_FLAG[@]}" --no-run
+
+echo "Benchmarks completed successfully."

.github/reusable_scripts

@@ -9,8 +9,30 @@
 # Exit on error, print commands
 set -ex
 
-if [ -n "$FEATURES" ]; then
-  CARGO_FEATURES="--features $FEATURES"
+# Args: --variant fips|non-fips (default: fips)
+VARIANT="fips"
+while [ $# -gt 0 ]; do
+  case "$1" in
+  -v | --variant)
+    VARIANT="${2:-}"
+    shift 2 || true
+    ;;
+  *) shift ;; # ignore
+  esac
+done
+
+case "$VARIANT" in
+fips | non-fips) : ;;
+*)
+  echo "Error: --variant must be 'fips' or 'non-fips'" >&2
+  exit 1
+  ;;
+esac
+
+if [ "$VARIANT" = "non-fips" ]; then
+  CARGO_FEATURES=(--features non-fips)
+else
+  CARGO_FEATURES=()
 fi
 
 # Install nodejs from nodesource if npm is not installed
@@ -37,7 +59,7 @@ cargo install wasm-pack
 # Build WASM component
 cd crate/wasm
 # shellcheck disable=SC2086
-wasm-pack build --target web --release $CARGO_FEATURES
+wasm-pack build --target web --release "${CARGO_FEATURES[@]}"
 
 # Copy WASM artifacts to UI directory
 WASM_DIR="../../ui/src/wasm/"
@@ -56,7 +78,10 @@ npm audit
 # Deploy built UI to root
 cd .. # current path: ./
 
-DEST_DIR="crate/server/ui${CARGO_FEATURES:+_non_fips}"
+DEST_DIR="crate/server/ui"
+if [ "$VARIANT" = "non-fips" ]; then
+  DEST_DIR="crate/server/ui_non_fips"
+fi
 rm -rf "$DEST_DIR"
 mkdir -p "$DEST_DIR"
 cp -R ui/dist "$DEST_DIR"

.github/scripts/README.md

@@ -9,8 +9,8 @@
 # Exit on error, print commands
 set -ex
 
-bash ./.github/scripts/build_ui.sh
+bash ./.github/scripts/build_ui.sh --variant fips
 git add crate/server/ui
 
-FEATURES=non-fips bash ./.github/scripts/build_ui.sh
+bash ./.github/scripts/build_ui.sh --variant non-fips
 git add crate/server/ui_non_fips

.github/scripts/benchmarks.sh

@@ -10,7 +10,6 @@ function BuildProject
         [string]$BuildType
     )
 
-    $env:RUST_LOG = "cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"
     # Add target
     rustup target add x86_64-pc-windows-msvc
 
@@ -44,24 +43,7 @@ function BuildProject
         exit 1
     }
 
-    if ($BuildType -eq "release")
-    {
-        cargo test --lib --workspace  --release --features "non-fips" -- --nocapture
-        if ($LASTEXITCODE -ne 0)
-        {
-            Write-Error "Release tests failed with exit code $LASTEXITCODE"
-            exit $LASTEXITCODE
-        }
-    }
-    else
-    {
-        cargo test --lib --workspace --features "non-fips" -- --nocapture
-        if ($LASTEXITCODE -ne 0)
-        {
-            Write-Error "Debug tests failed with exit code $LASTEXITCODE"
-            exit $LASTEXITCODE
-        }
-    }
+    exit 0
 }
 
 

.github/scripts/build_packages.sh

@@ -0,0 +1,43 @@
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version Latest
+$PSNativeCommandUseErrorActionPreference = $true # might be true by default
+
+function TestProject
+{
+    param (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet("debug", "release")]
+        [string]$BuildType
+    )
+
+    $env:RUST_LOG = "cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"
+    # Add target
+    rustup target add x86_64-pc-windows-msvc
+
+    $env:OPENSSL_DIR = "$env:VCPKG_INSTALLATION_ROOT\packages\openssl_x64-windows-static"
+    Get-ChildItem -Recurse $env:OPENSSL_DIR
+
+    if ($BuildType -eq "release")
+    {
+        cargo test --lib --workspace  --release --features "non-fips" -- --nocapture
+        if ($LASTEXITCODE -ne 0)
+        {
+            Write-Error "Release tests failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+        }
+    }
+    else
+    {
+        cargo test --lib --workspace --features "non-fips" -- --nocapture
+        if ($LASTEXITCODE -ne 0)
+        {
+            Write-Error "Debug tests failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+        }
+    }
+}
+
+
+# Example usage:
+# TestProject -BuildType debug
+# TestProject -BuildType release