From b5046454b47aba598a42d3d775d2ec54dc57c75a Mon Sep 17 00:00:00 2001
From: Nadrieril
Date: Tue, 28 May 2024 16:05:56 +0200
Subject: ci: Check correctness of the charon pinned commit

---
 .github/workflows/ci.yml       |  6 ++++++
 Makefile                       |  2 +-
 flake.nix                      |  1 +
 scripts/ci-check-charon-pin.sh | 22 ++++++++++++++++++++++
 scripts/update-charon-pin.sh   |  2 +-
 5 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100755 scripts/ci-check-charon-pin.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 56769cae..5ee28837 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,3 +54,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v26
       - run: nix develop --command bash -c "cd tests/lean && make"
+
+  check-charon-pin:
+    runs-on: [self-hosted, linux, nix]
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix develop --command ./scripts/ci-check-charon-pin.sh
diff --git a/Makefile b/Makefile
index 38da9f7e..b27fe0de 100644
--- a/Makefile
+++ b/Makefile
@@ -90,7 +90,7 @@ update-charon-pin:
 # Keep the commit revision in `./charon-pin` as well so that non-nix users can
 # know which commit to use.
 ./charon-pin: flake.lock
-	nix-shell -p jq --run './scripts/update-charon-pin.sh' >> ./charon-pin
+	./scripts/update-charon-pin.sh >> ./charon-pin
 
 # Checks that `./charon` contains a clone of charon at the required commit.
 # Also checks that `./charon/bin/charon` exists.
diff --git a/flake.nix b/flake.nix
index 654c0006..3e8b88de 100644
--- a/flake.nix
+++ b/flake.nix
@@ -226,6 +226,7 @@
             pkgs.ocamlPackages.ocamlformat
             pkgs.ocamlPackages.menhir
             pkgs.ocamlPackages.odoc
+            pkgs.jq
           ];
 
           inputsFrom = [
diff --git a/scripts/ci-check-charon-pin.sh b/scripts/ci-check-charon-pin.sh
new file mode 100755
index 00000000..4aacd96e
--- /dev/null
+++ b/scripts/ci-check-charon-pin.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Checks that the charon pin:
+# - moves forward from the previous pin, to ensure we don't regress the charon version;
+# - is merged into Charon.
+
+NEW_CHARON_PIN="$(cat flake.lock | jq -r .nodes.charon.locked.rev)"
+OLD_CHARON_PIN="$(git show origin/main:flake.lock | jq -r .nodes.charon.locked.rev)"
+echo "This PR updates the charon pin from $OLD_CHARON_PIN to $NEW_CHARON_PIN"
+
+git clone https://github.com/AeneasVerif/charon
+cd charon
+CHARON_MAIN="$(git rev-parse HEAD)"
+
+if ! git merge-base --is-ancestor "$OLD_CHARON_PIN" "$NEW_CHARON_PIN"; then
+    echo "Error: the new charon pin does not have the old one as its ancestor. The pin must only move forward."
+    exit 1
+fi
+
+if ! git merge-base --is-ancestor "$NEW_CHARON_PIN" "$CHARON_MAIN"; then
+    echo "Error: commit $NEW_CHARON_PIN is not merged into Charon."
+    exit 1
+fi
diff --git a/scripts/update-charon-pin.sh b/scripts/update-charon-pin.sh
index 418602b8..63dfe3b6 100755
--- a/scripts/update-charon-pin.sh
+++ b/scripts/update-charon-pin.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 if ! which jq 2> /dev/null 1>&2; then
-    echo 'Error: command `jq` not found.'
+    echo 'Error: command `jq` not found; please install it.'
     exit 1
 fi
 echo '# This is the commit from https://github.com/AeneasVerif/charon that should be used with this version of aeneas.' > ./charon-pin
-- 
cgit v1.2.3