mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 08:50:49 +02:00
Merge pull request #10685 from julek-wolfssl/ci-cache-offload
CI: offload ccache/apt/buildx caches off the GitHub Actions cache
This commit is contained in:
@@ -4,7 +4,9 @@ description: >
|
||||
directory from a previous run, and prepend the ccache compiler-symlink
|
||||
dir to PATH. Subsequent gcc/cc/g++/c++/clang invocations are
|
||||
transparently intercepted by ccache, so no other workflow step needs to
|
||||
change.
|
||||
change. On scheduled (cron) runs the cache is reseeded from clean
|
||||
compiles (CCACHE_RECACHE) instead of only being updated incrementally,
|
||||
so it can't drift indefinitely.
|
||||
|
||||
inputs:
|
||||
workflow-id:
|
||||
@@ -21,6 +23,15 @@ inputs:
|
||||
description: 'Per-job ccache max size (passed to ccache -M).'
|
||||
required: false
|
||||
default: '500M'
|
||||
read-only:
|
||||
description: >
|
||||
When 'true', restore the cache but do NOT save it (no post-job
|
||||
upload). Callers should set this to the result of the expression
|
||||
github.event_name == 'pull_request' so PR runs consume the shared
|
||||
cache read-only - no per-PR entries, no churn - while scheduled/push
|
||||
runs (read-only false) refresh it.
|
||||
required: false
|
||||
default: 'false'
|
||||
|
||||
runs:
|
||||
using: 'composite'
|
||||
@@ -41,7 +52,10 @@ runs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# read-only=false (default): restore + post-job save (the run_id in the
|
||||
# key never hits, so it always saves its contribution).
|
||||
- name: Restore + save ccache
|
||||
if: inputs.read-only != 'true'
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.ccache
|
||||
@@ -52,6 +66,19 @@ runs:
|
||||
restore-keys: |
|
||||
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-
|
||||
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-
|
||||
# read-only=true: restore the shared cache but never upload (PR runs).
|
||||
- name: Restore ccache (read-only)
|
||||
if: inputs.read-only == 'true'
|
||||
uses: actions/cache/restore@v5
|
||||
with:
|
||||
path: ~/.ccache
|
||||
# Same key shape as the save branch, for symmetry. This branch never
|
||||
# saves, so the run_id/run_attempt primary key is never an exact hit -
|
||||
# the restore-keys below always supply the most recent seeded cache.
|
||||
key: ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-${{ github.run_id }}-${{ github.run_attempt }}
|
||||
restore-keys: |
|
||||
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-
|
||||
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-
|
||||
|
||||
- name: Configure ccache and PATH
|
||||
shell: bash
|
||||
@@ -76,6 +103,18 @@ runs:
|
||||
echo "$CCACHE_LIBEXEC" >> "$GITHUB_PATH"
|
||||
echo "CCACHE_DIR=$HOME/.ccache" >> "$GITHUB_ENV"
|
||||
|
||||
# On the scheduled (cron) refresh, force every compile to miss the
|
||||
# cache and re-store a fresh result (CCACHE_RECACHE still writes, it
|
||||
# just skips lookups). This reseeds the shared cache from clean
|
||||
# compiles instead of only layering deltas onto whatever accumulated,
|
||||
# so a bad/stale entry can't live forever. The cache is still saved
|
||||
# (read-only is false on schedule), and PR/push runs are unaffected -
|
||||
# they keep their warm hits. Cost: the scheduled jobs recompile fully.
|
||||
- name: Force fresh compiles on scheduled reseed
|
||||
if: github.event_name == 'schedule'
|
||||
shell: bash
|
||||
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Show ccache stats (initial)
|
||||
shell: bash
|
||||
run: ccache -s
|
||||
|
||||
@@ -20,11 +20,65 @@ inputs:
|
||||
description: 'Cache apt archives (disable for dynamic package names)'
|
||||
required: false
|
||||
default: 'true'
|
||||
ghcr-debs-tag:
|
||||
description: >
|
||||
Tag of a prebuilt .deb bundle published to
|
||||
ghcr.io/<owner>/wolfssl-ci-debs by the ci-deps-image workflow
|
||||
(e.g. "ubuntu-24.04-minimal"). When set, the packages are installed
|
||||
offline from that bundle and the apt cache path below is skipped; on
|
||||
that happy path the apt mirror is not contacted. The offline install
|
||||
is all-or-nothing (a single --no-download install of the whole set),
|
||||
so any failure - bundle missing, not public, or not covering every
|
||||
requested package - falls back to the apt path. Always safe to set;
|
||||
leave empty to use apt only.
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
# Preferred path: install from a prebuilt .deb bundle pulled from ghcr,
|
||||
# entirely offline (--no-download), so a flaky/timing-out apt mirror
|
||||
# cannot break the build. Best-effort: on any failure we leave
|
||||
# "satisfied" unset and the apt steps below run unchanged. The bundle
|
||||
# image must be PUBLIC so anonymous `docker pull` works (including from
|
||||
# fork PRs whose GITHUB_TOKEN cannot read private packages).
|
||||
- name: Install from ghcr .deb bundle (offline)
|
||||
id: ghcr
|
||||
if: inputs.ghcr-debs-tag != ''
|
||||
shell: bash
|
||||
run: |
|
||||
set -u
|
||||
command -v docker >/dev/null 2>&1 || { echo "::notice::docker unavailable; using apt"; exit 0; }
|
||||
# Hardcode the upstream owner: the bundle is only ever published under
|
||||
# ghcr.io/wolfssl by ci-deps-image (gated to the wolfssl org), so fork
|
||||
# PRs read the public upstream image too rather than a nonexistent
|
||||
# ghcr.io/<fork>/wolfssl-ci-debs.
|
||||
IMG="ghcr.io/wolfssl/wolfssl-ci-debs:${{ inputs.ghcr-debs-tag }}"
|
||||
if ! docker pull -q "$IMG" >/dev/null 2>&1; then
|
||||
echo "::notice::ghcr bundle $IMG unavailable; using apt"
|
||||
exit 0
|
||||
fi
|
||||
cid=$(docker create "$IMG" 2>/dev/null) || { echo "::notice::cannot open bundle; using apt"; exit 0; }
|
||||
rm -rf "$RUNNER_TEMP/ghcr-debs"; mkdir -p "$RUNNER_TEMP/ghcr-debs"
|
||||
docker cp "$cid:/debs/." "$RUNNER_TEMP/ghcr-debs/" >/dev/null 2>&1 || true
|
||||
docker rm "$cid" >/dev/null 2>&1 || true
|
||||
ls "$RUNNER_TEMP"/ghcr-debs/*.deb >/dev/null 2>&1 || { echo "::notice::bundle had no .debs; using apt"; exit 0; }
|
||||
sudo cp "$RUNNER_TEMP"/ghcr-debs/*.deb /var/cache/apt/archives/
|
||||
NO_REC=""
|
||||
if [ "${{ inputs.no-install-recommends }}" = "true" ]; then
|
||||
NO_REC="--no-install-recommends"
|
||||
fi
|
||||
# --no-download forbids any network fetch: if the bundle is missing
|
||||
# a package this fails cleanly (nothing installed) and we fall back.
|
||||
if sudo DEBIAN_FRONTEND=noninteractive apt-get install -y $NO_REC --no-download ${{ inputs.packages }}; then
|
||||
echo "satisfied=true" >> "$GITHUB_OUTPUT"
|
||||
echo "Installed offline from $IMG: ${{ inputs.packages }}"
|
||||
else
|
||||
echo "::notice::offline install incomplete for $IMG; using apt"
|
||||
fi
|
||||
|
||||
- name: Compute cache key
|
||||
if: inputs.cache == 'true'
|
||||
if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
|
||||
id: cache-key
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -35,7 +89,7 @@ runs:
|
||||
echo "restore-key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Restore apt cache
|
||||
if: inputs.cache == 'true'
|
||||
if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
|
||||
id: apt-cache
|
||||
uses: actions/cache/restore@v5
|
||||
with:
|
||||
@@ -44,7 +98,7 @@ runs:
|
||||
restore-keys: ${{ steps.cache-key.outputs.restore-key }}
|
||||
|
||||
- name: Pre-seed apt archives from cache
|
||||
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true'
|
||||
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true' && steps.ghcr.outputs.satisfied != 'true'
|
||||
shell: bash
|
||||
run: |
|
||||
if [ -d ~/apt-cache ] && ls ~/apt-cache/*.deb >/dev/null 2>&1; then
|
||||
@@ -53,6 +107,7 @@ runs:
|
||||
fi
|
||||
|
||||
- name: Install packages
|
||||
if: steps.ghcr.outputs.satisfied != 'true'
|
||||
shell: bash
|
||||
env:
|
||||
APT_CACHE_HIT: ${{ steps.apt-cache.outputs.cache-hit }}
|
||||
@@ -90,8 +145,11 @@ runs:
|
||||
DELAY=$((DELAY * 2))
|
||||
done
|
||||
|
||||
# PR runs never write the apt cache (no churn); only push/schedule runs
|
||||
# refresh it. The make-check family does not need it anyway - it installs
|
||||
# from the ghcr bundle above.
|
||||
- name: Collect .deb files for cache
|
||||
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit != 'true'
|
||||
if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
|
||||
shell: bash
|
||||
run: |
|
||||
mkdir -p ~/apt-cache
|
||||
@@ -99,7 +157,7 @@ runs:
|
||||
echo "Cached $(ls ~/apt-cache/*.deb 2>/dev/null | wc -l) .deb files"
|
||||
|
||||
- name: Save apt cache
|
||||
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit != 'true'
|
||||
if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
|
||||
uses: actions/cache/save@v5
|
||||
with:
|
||||
path: ~/apt-cache
|
||||
|
||||
@@ -0,0 +1,80 @@
|
||||
# make-check family + interop apt packages for ubuntu-22.04 (the '-full'
|
||||
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-22.04-full). Superset of
|
||||
# -minimal; interop workflows install their subset offline from it.
|
||||
# Keep sorted; add a package when an interop workflow adds one.
|
||||
autoconf
|
||||
automake
|
||||
bison
|
||||
bridge-utils
|
||||
build-essential
|
||||
ca-certificates
|
||||
cargo
|
||||
ccache
|
||||
chrpath
|
||||
cmake
|
||||
cpio
|
||||
crossbuild-essential-arm64
|
||||
crossbuild-essential-armel
|
||||
crossbuild-essential-armhf
|
||||
crossbuild-essential-riscv64
|
||||
device-tree-compiler
|
||||
dfu-util
|
||||
diffstat
|
||||
dos2unix
|
||||
doxygen
|
||||
file
|
||||
flex
|
||||
g++
|
||||
g++-multilib
|
||||
gawk
|
||||
gcc
|
||||
gcc-multilib
|
||||
gcovr
|
||||
git
|
||||
git-core
|
||||
gnupg
|
||||
gperf
|
||||
gtk-sharp3
|
||||
help2man
|
||||
iproute2
|
||||
lcov
|
||||
libcairo2-dev
|
||||
libglib2.0-dev
|
||||
libgtk2.0-0
|
||||
liblocale-gettext-perl
|
||||
libmagic1
|
||||
libncurses5-dev
|
||||
libpcap-dev
|
||||
libpopt0
|
||||
libsdl1.2-dev
|
||||
libsdl2-dev
|
||||
libssl-dev
|
||||
libtool
|
||||
libtool-bin
|
||||
locales
|
||||
make
|
||||
net-tools
|
||||
ninja-build
|
||||
openssh-client
|
||||
ovmf
|
||||
parallel
|
||||
pkg-config
|
||||
python-is-python3
|
||||
python3-dev
|
||||
python3-pip
|
||||
python3-ply
|
||||
python3-setuptools
|
||||
python3-tk
|
||||
python3-wheel
|
||||
qemu-kvm
|
||||
qemu-user
|
||||
rsync
|
||||
socat
|
||||
srecord
|
||||
sudo
|
||||
texinfo
|
||||
uml-utilities
|
||||
unzip
|
||||
wget
|
||||
xz-utils
|
||||
zip
|
||||
@@ -0,0 +1,12 @@
|
||||
# make-check family apt packages for ubuntu-22.04 (the '-minimal'
|
||||
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-22.04-minimal). UNION of
|
||||
# every family workflow's list; superset is fine. Keep sorted.
|
||||
autoconf
|
||||
automake
|
||||
build-essential
|
||||
crossbuild-essential-arm64
|
||||
crossbuild-essential-armel
|
||||
crossbuild-essential-armhf
|
||||
crossbuild-essential-riscv64
|
||||
libtool
|
||||
qemu-user
|
||||
@@ -0,0 +1,94 @@
|
||||
# make-check family + interop apt packages for ubuntu-24.04 (the '-full'
|
||||
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-24.04-full). Superset of
|
||||
# -minimal; interop workflows install their subset offline from it.
|
||||
# Keep sorted; add a package when an interop workflow adds one.
|
||||
apache2
|
||||
apache2-dev
|
||||
autoconf
|
||||
autoconf-archive
|
||||
automake
|
||||
autopoint
|
||||
bubblewrap
|
||||
build-essential
|
||||
ccache
|
||||
clang
|
||||
clang-14
|
||||
clang-19
|
||||
cmake
|
||||
g++-10
|
||||
g++-11
|
||||
g++-12
|
||||
g++-9
|
||||
gcc-10
|
||||
gcc-11
|
||||
gcc-12
|
||||
gcc-9
|
||||
gcc-multilib
|
||||
gettext
|
||||
gyp
|
||||
jq
|
||||
krb5-admin-server
|
||||
krb5-kdc
|
||||
krb5-otp
|
||||
libbz2-dev
|
||||
libc++-dev
|
||||
libcap-dev
|
||||
libcap-ng-dev
|
||||
libcmocka-dev
|
||||
libcppunit-dev
|
||||
libcunit1
|
||||
libcunit1-dev
|
||||
libcunit1-doc
|
||||
libcurl4-openssl-dev
|
||||
libdb5.3-dev
|
||||
libev-dev
|
||||
libevent-2.1-7
|
||||
libevent-dev
|
||||
libffi-dev
|
||||
libgdbm-dev
|
||||
libgtest-dev
|
||||
libidn2-dev
|
||||
libio-socket-ssl-perl
|
||||
libjansson-dev
|
||||
libkrb5-dev
|
||||
liblz4-dev
|
||||
liblzma-dev
|
||||
liblzo2-dev
|
||||
libncursesw5-dev
|
||||
libnghttp2-dev
|
||||
libnl-genl-3-200
|
||||
libnl-genl-3-dev
|
||||
libnss-wrapper
|
||||
libnss3-dev
|
||||
libp11-dev
|
||||
libpam-dev
|
||||
libpam0g-dev
|
||||
libpcre2-dev
|
||||
libpsl-dev
|
||||
libpsl5
|
||||
libreadline-dev
|
||||
librtlsdr-dev
|
||||
libsecret-1-dev
|
||||
libsocket-wrapper
|
||||
libsqlite3-dev
|
||||
libssl-dev
|
||||
libtool
|
||||
liburcu-dev
|
||||
libuv1-dev
|
||||
linux-libc-dev
|
||||
make
|
||||
man2html
|
||||
meson
|
||||
mono-complete
|
||||
nghttp2
|
||||
ninja-build
|
||||
pkg-config
|
||||
pkgconf
|
||||
psmisc
|
||||
python3-docutils
|
||||
python3-impacket
|
||||
python3-psutil
|
||||
shellcheck
|
||||
uuid-dev
|
||||
valgrind
|
||||
zlib1g-dev
|
||||
@@ -0,0 +1,20 @@
|
||||
# make-check family apt packages for ubuntu-24.04 (the '-minimal'
|
||||
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-24.04-minimal). UNION of
|
||||
# every family workflow's list; superset is fine. Keep sorted.
|
||||
autoconf
|
||||
automake
|
||||
bubblewrap
|
||||
build-essential
|
||||
ccache
|
||||
clang-14
|
||||
clang-19
|
||||
g++-10
|
||||
g++-11
|
||||
g++-12
|
||||
g++-9
|
||||
gcc-10
|
||||
gcc-11
|
||||
gcc-12
|
||||
gcc-9
|
||||
gcc-multilib
|
||||
libtool
|
||||
@@ -468,9 +468,22 @@ def main() -> int:
|
||||
help="give each build dir a private copy of this "
|
||||
"symlinked source directory before make check, for "
|
||||
"tests that write into it (repeatable)")
|
||||
p.add_argument("--build-only", action="store_true",
|
||||
help="build every config but skip the make-check phase "
|
||||
"and any post-build \"run\" commands: the compile "
|
||||
"still populates ccache, which is the point when "
|
||||
"seeding a shared cache on a schedule")
|
||||
opts = p.parse_args()
|
||||
|
||||
all_configs = load_configs(opts, p.error)
|
||||
if opts.build_only:
|
||||
# Pure build: drop the check phase (and post-build "run" steps) for
|
||||
# every config. The compile alone fully populates ccache, so a
|
||||
# scheduled --build-only pass on the default branch warms the
|
||||
# shared cache that PR runs restore, without spending time on tests.
|
||||
for cfg in all_configs:
|
||||
cfg.check = False
|
||||
cfg.run = []
|
||||
selected = all_configs
|
||||
if opts.configs:
|
||||
by_name = {cfg.name: cfg for cfg in all_configs}
|
||||
|
||||
@@ -61,6 +61,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: valgrind
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Run Ada wrapper tests (valgrind)
|
||||
working-directory: ./wrapper/Ada/tests
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '8 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -35,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -42,6 +48,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: async
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 250M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -83,6 +90,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/async-configs.json"
|
||||
|
||||
@@ -94,6 +102,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: async-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -7,12 +7,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '0 6 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the ATECC608 software simulator (https://github.com/wolfSSL/simulators,
|
||||
# ATECC608Sim/ subdirectory), build wolfSSL against cryptoauthlib + the
|
||||
# simulator's TCP HAL, and run the wolfCrypt ATECC608 test binary against the
|
||||
@@ -76,6 +85,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build wolfCrypt-ATECC608 test image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -84,8 +97,8 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: wolfssl-atecc608-sim:ci
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:atecc608
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:atecc608,mode=max' || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests against simulator
|
||||
run: docker run --rm wolfssl-atecc608-sim:ci
|
||||
|
||||
@@ -71,6 +71,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev liburcu-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout OSP
|
||||
uses: actions/checkout@v5
|
||||
|
||||
@@ -34,6 +34,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
- name: autogen
|
||||
run: ./autogen.sh
|
||||
|
||||
@@ -41,6 +41,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: shellcheck
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Collect files to check
|
||||
id: files
|
||||
|
||||
@@ -0,0 +1,116 @@
|
||||
name: CI deps image
|
||||
|
||||
# Builds the prebuilt apt .deb bundles that the make-check family (the
|
||||
# -minimal tags) and the interop workflows (the -full tags, a superset)
|
||||
# install offline (see .github/actions/install-apt-deps, input
|
||||
# ghcr-debs-tag). Each bundle holds the .debs for a package list in
|
||||
# .github/ci-deps/ - every package plus the dependencies not already on the
|
||||
# matching runner image, so it is tied to that runner rather than being a
|
||||
# portable, self-contained closure - published to
|
||||
# ghcr.io/<owner>/wolfssl-ci-debs:<tag>.
|
||||
#
|
||||
# Why: the apt mirror times out often enough to break PR CI. Resolving the
|
||||
# closure ONCE here (on master, where a slow mirror only delays this job and
|
||||
# is retried hard) and pulling it from ghcr on every PR keeps apt off the PR
|
||||
# critical path entirely. ghcr storage/bandwidth is free for public images
|
||||
# and is a separate pool from the 10 GB Actions cache.
|
||||
#
|
||||
# ONE-TIME SETUP: after the first successful run, make the package
|
||||
# `wolfssl-ci-debs` PUBLIC (repo/org > Packages > Package settings >
|
||||
# Change visibility). Anonymous `docker pull` then works from fork PRs too;
|
||||
# until then install-apt-deps simply falls back to apt (no breakage).
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Weekend only - refresh the bundles weekly so they track base-image
|
||||
# security updates. A mid-week package-list change waits for Saturday
|
||||
# (or run this manually via workflow_dispatch); until then the offline
|
||||
# install (a single --no-download install of the whole set) fails if any
|
||||
# requested package is missing from the bundle, and install-apt-deps
|
||||
# falls back to the full apt path.
|
||||
- cron: '0 2 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ci-deps-image-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: build ${{ matrix.tag }}
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
include:
|
||||
# The .debs must be downloaded on the same Ubuntu version that
|
||||
# consumes them, so the runner matches the tag. -minimal is the
|
||||
# make-check family's packages (small, pulled on every PR);
|
||||
# -full adds the interop workflows' packages (a superset).
|
||||
- runner: ubuntu-24.04
|
||||
tag: ubuntu-24.04-minimal
|
||||
- runner: ubuntu-24.04
|
||||
tag: ubuntu-24.04-full
|
||||
- runner: ubuntu-22.04
|
||||
tag: ubuntu-22.04-minimal
|
||||
- runner: ubuntu-22.04
|
||||
tag: ubuntu-22.04-full
|
||||
runs-on: ${{ matrix.runner }}
|
||||
timeout-minutes: 20
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
|
||||
- name: Resolve and download the .deb closure
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
LIST=".github/ci-deps/packages-${{ matrix.tag }}.txt"
|
||||
mapfile -t PKGS < <(grep -vE '^[[:space:]]*#|^[[:space:]]*$' "$LIST")
|
||||
echo "Packages (${#PKGS[@]}): ${PKGS[*]}"
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
rm -rf debs && mkdir -p debs
|
||||
sudo apt-get clean
|
||||
# Retry the flaky bits; this is the one place we accept apt risk.
|
||||
retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; }
|
||||
retry sudo apt-get update -q
|
||||
# Download each package's closure independently (requested package +
|
||||
# any dependency not already installed) without installing. Per
|
||||
# package, not one resolve of the whole list, so one unbundleable
|
||||
# package - e.g. a conflict in the big -full union - cannot abort the
|
||||
# rest; install-apt-deps falls back to apt for anything missing.
|
||||
skipped=0
|
||||
for pkg in "${PKGS[@]}"; do
|
||||
retry sudo apt-get install -y --download-only "$pkg" \
|
||||
|| { echo "::warning::could not download $pkg"; skipped=$((skipped+1)); }
|
||||
done
|
||||
sudo cp /var/cache/apt/archives/*.deb debs/ 2>/dev/null || true
|
||||
echo "Bundled $(ls debs/*.deb 2>/dev/null | wc -l) .deb files ($(du -sh debs | cut -f1)); ${skipped} skipped"
|
||||
test -n "$(ls debs/*.deb 2>/dev/null)" # fail if nothing was bundled
|
||||
|
||||
- name: Build bundle image
|
||||
shell: bash
|
||||
run: |
|
||||
# Tiny busybox base so the consumer can `docker create`/`docker cp`
|
||||
# the .debs out; the base size is negligible next to the .debs.
|
||||
printf 'FROM busybox\nCOPY debs /debs\n' > Dockerfile.debs
|
||||
docker build -f Dockerfile.debs -t bundle .
|
||||
|
||||
- name: Log in to ghcr
|
||||
shell: bash
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Push to ghcr
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
|
||||
IMG="ghcr.io/$OWNER/wolfssl-ci-debs"
|
||||
# One mutable tag per bundle variant; each run overwrites it, so the
|
||||
# package keeps exactly one version per variant (no dated duplicates).
|
||||
docker tag bundle "$IMG:${{ matrix.tag }}"
|
||||
docker push "$IMG:${{ matrix.tag }}"
|
||||
echo "Pushed $IMG:${{ matrix.tag }}"
|
||||
@@ -20,6 +20,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: cmake autoconf automake libtool
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
# build and install wolfssl via autotools for CMake consumer test
|
||||
- name: Build wolfssl with autotools
|
||||
|
||||
@@ -20,6 +20,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: cmake
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
# build wolfssl
|
||||
- name: Build wolfssl
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '12 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -35,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -42,6 +48,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: cryptocb-only
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 200M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -216,6 +223,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/cryptocb-only-configs.json"
|
||||
|
||||
@@ -227,6 +235,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: cryptocb-only-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -60,6 +60,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: nghttp2 libpsl5 libpsl-dev python3-impacket apache2 apache2-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -64,6 +64,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: krb5-kdc krb5-otp libkrb5-dev libsocket-wrapper libnss-wrapper krb5-admin-server libdb5.3-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '16 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -35,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -42,6 +48,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: disable-pk-algs
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 150M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -124,6 +131,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/disable-pk-algs-configs.json"
|
||||
|
||||
@@ -135,6 +143,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: disable-pk-algs-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -9,12 +9,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '30 7 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
jobs:
|
||||
build_library:
|
||||
name: Compile libwolfssl.so
|
||||
@@ -54,6 +63,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
- uses: actions/download-artifact@v7
|
||||
with:
|
||||
name: openwrt-libwolfssl.so
|
||||
@@ -68,5 +80,5 @@ jobs:
|
||||
push: false
|
||||
tags: openwrt-test:latest
|
||||
build-args: DOCKER_BASE_CONTAINER=openwrt/rootfs:x86-64-${{ matrix.release }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:openwrt-${{ matrix.release }}
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:openwrt-{0},mode=max', matrix.release) || '' }}
|
||||
|
||||
@@ -34,6 +34,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
- name: Bootstrap
|
||||
run: ./autogen.sh
|
||||
|
||||
@@ -73,6 +73,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: build-essential autoconf libtool pkg-config cmake clang libc++-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -60,6 +60,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libpcre2-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -61,6 +61,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libreadline-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
with:
|
||||
|
||||
@@ -65,6 +65,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libgtest-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -77,6 +77,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libevent-dev libevent-2.1-7 automake pkg-config make libio-socket-ssl-perl
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout memcached
|
||||
uses: actions/checkout@v5
|
||||
|
||||
@@ -40,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: mono-complete
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Copy wolfSSL.dll to C# wrapper directory
|
||||
run: |
|
||||
|
||||
@@ -76,6 +76,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make python3-psutil
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout mosquitto
|
||||
uses: actions/checkout@v5
|
||||
|
||||
@@ -76,6 +76,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool pkg-config gettext libidn2-dev libsecret-1-dev autopoint
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout msmtp
|
||||
uses: actions/checkout@v5
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '20 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -33,6 +38,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential crossbuild-essential-arm64 crossbuild-essential-armhf crossbuild-essential-riscv64 crossbuild-essential-armel qemu-user
|
||||
ghcr-debs-tag: ubuntu-22.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -40,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: multi-arch
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 500M
|
||||
|
||||
# NOTE: the old runner-per-config matrix combined an "include" list
|
||||
@@ -246,6 +253,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
"$RUNNER_TEMP/multi-arch-configs.json"
|
||||
|
||||
- name: ccache stats
|
||||
@@ -256,6 +264,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: multi-arch-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '24 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -33,6 +38,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential gcc-9 g++-9 gcc-10 g++-10 gcc-11 g++-11 gcc-12 g++-12 clang-14 clang-19
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -40,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: multi-compiler
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 500M
|
||||
|
||||
# One entry per compiler (the former one-runner-per-compiler matrix):
|
||||
@@ -89,6 +96,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
"$RUNNER_TEMP/multi-compiler-configs.json"
|
||||
|
||||
- name: ccache stats
|
||||
@@ -99,6 +107,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: multi-compiler-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '28 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -33,6 +38,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -40,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: no-malloc
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 100M
|
||||
|
||||
# The JSON list below is the former runner-per-config matrix. These
|
||||
@@ -71,6 +78,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
"$RUNNER_TEMP/no-malloc-configs.json"
|
||||
|
||||
- name: ccache stats
|
||||
@@ -81,6 +89,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: no-malloc-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -45,6 +45,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: gyp ninja-build
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout nss
|
||||
if: steps.cache.outputs.cache-hit != 'true'
|
||||
@@ -88,6 +89,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: gyp ninja-build
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Checkout nss (fallback on cache miss)
|
||||
if: steps.cache.outputs.cache-hit != 'true'
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '32 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -35,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -42,6 +48,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: opensslcoexist
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 150M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -72,6 +79,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/opensslcoexist-configs.json"
|
||||
|
||||
@@ -83,6 +91,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: opensslcoexist-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -69,6 +69,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: workaround high-entropy ASLR
|
||||
# not needed after either an update to llvm or runner is done
|
||||
|
||||
@@ -16,6 +16,13 @@ on:
|
||||
paths-ignore:
|
||||
- '**/*.md'
|
||||
- 'doc/**'
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore: the
|
||||
# linux and macOS jobs re-run --build-only (compile only, no tests) on the
|
||||
# default branch, where their ccache writes are visible to every PR. Only
|
||||
# Windows is skipped on schedule (see its job `if`) - seeding the linux and
|
||||
# macOS shards is where the cold-cache cost lives.
|
||||
schedule:
|
||||
- cron: '0 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -68,6 +75,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap ccache
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
# which would stop the test scripts from re-execing under
|
||||
@@ -81,8 +89,11 @@ jobs:
|
||||
- name: Pin ccache directory
|
||||
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
|
||||
|
||||
# PRs restore the cache the weekday seed writes but never save it, so
|
||||
# PR runs add no per-shard ccache entries to the Actions cache. The
|
||||
# seed (schedule) saves below.
|
||||
- name: Restore ccache
|
||||
uses: actions/cache@v5
|
||||
uses: actions/cache/restore@v5
|
||||
with:
|
||||
path: ~/.cache/ccache
|
||||
# Per-shard cache lineage: each shard compiles a distinct config
|
||||
@@ -94,6 +105,13 @@ jobs:
|
||||
os-check-linux-ccache-${{ matrix.shard }}-
|
||||
os-check-linux-ccache-
|
||||
|
||||
# On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the
|
||||
# saved master ccache is reseeded from scratch rather than only
|
||||
# accumulating deltas. PR/push runs leave it unset and keep their warm hits.
|
||||
- name: Force fresh compiles on scheduled reseed
|
||||
if: github.event_name == 'schedule'
|
||||
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
|
||||
|
||||
- name: autogen
|
||||
run: |
|
||||
ccache -z
|
||||
@@ -380,10 +398,20 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
|
||||
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
|
||||
--private-dir=certs "$RUNNER_TEMP/os-check-configs.json"
|
||||
|
||||
# Seed runs (schedule) refresh the master-scoped ccache that PR runs
|
||||
# restore above; PR/push runs never save, so PRs add nothing.
|
||||
- name: Save ccache (seed only)
|
||||
if: github.event_name == 'schedule'
|
||||
uses: actions/cache/save@v5
|
||||
with:
|
||||
path: ~/.cache/ccache
|
||||
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.ref_name }}-${{ github.sha }}
|
||||
|
||||
- name: ccache stats
|
||||
if: always()
|
||||
run: ccache -s || true
|
||||
@@ -392,6 +420,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: os-check-linux-logs-${{ matrix.shard }}
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
@@ -413,6 +442,9 @@ jobs:
|
||||
# macos-apple-native-cert-validation.yml workflow.
|
||||
make_check_macos:
|
||||
name: make check macos
|
||||
# Runs on PRs/pushes and on the weekday ccache-seed cron, where it
|
||||
# --build-only-seeds the macOS ccache (like the linux shards). Only
|
||||
# Windows is skipped on schedule (no ccache to seed).
|
||||
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
||||
runs-on: macos-latest
|
||||
# Serial checks: roughly the sum of the per-config minutes plus
|
||||
@@ -442,6 +474,8 @@ jobs:
|
||||
with:
|
||||
workflow-id: os-check-macos
|
||||
max-size: 500M
|
||||
# PRs read the weekday-seeded macOS ccache; only the seed saves.
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
|
||||
# Same JSON config format as make_check_linux above; "minutes" only
|
||||
# orders the serial schedule here (longest first).
|
||||
@@ -478,6 +512,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--threads 1 --cc= \
|
||||
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
|
||||
--private-dir=certs "$RUNNER_TEMP/os-check-macos-configs.json"
|
||||
@@ -490,6 +525,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: os-check-macos-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
@@ -499,7 +535,8 @@ jobs:
|
||||
|
||||
windows_build:
|
||||
name: Windows Build Test
|
||||
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
||||
# Skipped on the weekday ccache-seed cron: no ccache to seed here.
|
||||
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'schedule') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
||||
runs-on: windows-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
||||
@@ -62,6 +62,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libpam-dev ninja-build meson
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -6,12 +6,21 @@ on:
|
||||
branches: [ 'master', 'main', 'release/**' ]
|
||||
pull_request:
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '0 7 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the PIC32MZ software simulator (https://github.com/wolfSSL/simulators,
|
||||
# PIC32MZSim/ subdirectory) and run the wolfCrypt test suite on emulated
|
||||
# PIC32MZ EC (no FPU, CE ignores OUT_SWAP) and EF (FPU + OUT_SWAP) parts,
|
||||
@@ -67,6 +76,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build ${{ matrix.image_tag }} image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -75,8 +88,10 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: ${{ matrix.image_tag }}
|
||||
cache-from: type=gha,scope=${{ matrix.cache_scope }}
|
||||
cache-to: type=gha,mode=max,scope=${{ matrix.cache_scope }}
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:${{ matrix.cache_scope }}
|
||||
# Write only on the weekend cron, and only from the EC entry of each
|
||||
# image, so the two chips that share a scope do not race on the push.
|
||||
cache-to: ${{ ((github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.chip_label == 'EC') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:{0},mode=max', matrix.cache_scope) || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests on PIC32MZ ${{ matrix.chip_label }} (${{ matrix.port_label }})
|
||||
run: |
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore, by
|
||||
# re-running --build-only (compile only, no tests) on the default branch.
|
||||
# PR runs are read-only.
|
||||
schedule:
|
||||
- cron: '4 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -39,6 +44,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -48,6 +54,9 @@ jobs:
|
||||
workflow-id: pq-all
|
||||
config-hash: shard-${{ matrix.shard }}
|
||||
max-size: 350M
|
||||
# PRs read the cache the weekday seed writes; they never
|
||||
# save, so PR runs add nothing to the Actions cache.
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
# which would stop the test scripts from re-execing under
|
||||
@@ -220,6 +229,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/pq-all-configs.json"
|
||||
@@ -232,6 +242,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: pq-all-logs-${{ matrix.shard }}
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '36 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -35,6 +40,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -42,6 +48,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: psk
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 100M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -95,6 +102,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/psk-configs.json"
|
||||
|
||||
@@ -106,6 +114,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: psk-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -109,6 +109,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: build-essential autoconf automake autoconf-archive pkgconf libffi-dev libbz2-dev libreadline-dev libsqlite3-dev zlib1g-dev libncursesw5-dev libgdbm-dev libnss3-dev liblzma-dev uuid-dev pkg-config
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download wolfSSL
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -63,6 +63,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libcurl4-openssl-dev libjansson-dev libp11-dev librtlsdr-dev libcap-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -7,12 +7,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '15 6 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the SE050 software simulator (https://github.com/wolfSSL/simulators,
|
||||
# SE050Sim/ subdirectory), build wolfSSL against its NXP Plug&Trust SDK +
|
||||
# simulator bridge, and run the wolfCrypt SE050 test binary against the
|
||||
@@ -55,6 +64,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build wolfCrypt-SE050 test image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -63,8 +76,8 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: wolfssl-se050-sim:ci
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:se050
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:se050,mode=max' || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests against simulator
|
||||
run: docker run --rm wolfssl-se050-sim:ci
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '40 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -33,6 +38,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -40,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: smallstacksize
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 150M
|
||||
|
||||
# The JSON list below is the former runner-per-config matrix (the
|
||||
@@ -118,6 +125,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
"$RUNNER_TEMP/smallstacksize-configs.json"
|
||||
|
||||
- name: ccache stats
|
||||
@@ -128,6 +136,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: smallstacksize-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -36,9 +36,13 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ master, main ]
|
||||
# Weekday-morning (10:00 UTC) build-only seed of the master-scoped ccache that PR runs restore
|
||||
# (in addition to the master pushes above). PR runs are read-only.
|
||||
schedule:
|
||||
- cron: '56 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: smoke-${{ github.workflow }}-${{ github.ref }}
|
||||
group: smoke-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
@@ -90,6 +94,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap ccache
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
# which would stop the test scripts from re-execing under
|
||||
@@ -99,15 +104,17 @@ jobs:
|
||||
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
||||
|
||||
# ccache's default cache dir (XDG ~/.cache/ccache) is what the
|
||||
# actions/cache step below saves; pin it explicitly so the two
|
||||
# actions/cache steps below restore/save; pin it explicitly so the two
|
||||
# cannot drift apart (e.g. if a later change sets CCACHE_DIR).
|
||||
- name: Pin ccache directory
|
||||
if: steps.merge_check.outputs.skip != 'true'
|
||||
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
|
||||
|
||||
# PRs restore the cache the master pushes / weekday seed write, but
|
||||
# never save it (the save step is gated to non-PR events below).
|
||||
- name: Restore ccache
|
||||
if: steps.merge_check.outputs.skip != 'true'
|
||||
uses: actions/cache@v5
|
||||
uses: actions/cache/restore@v5
|
||||
with:
|
||||
path: ~/.cache/ccache
|
||||
key: smoke-ccache-${{ github.base_ref || github.ref_name }}-${{ github.sha }}
|
||||
@@ -153,9 +160,18 @@ jobs:
|
||||
{"name": "leantls-extra", "configure": ["--enable-leantls", "--enable-session-ticket", "--enable-sni", "--enable-opensslextra"]}
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py --cflags=-Werror \
|
||||
.github/scripts/parallel-make-check.py ${{ github.event_name == 'schedule' && '--build-only' || '' }} --cflags=-Werror \
|
||||
--private-dir=certs "$RUNNER_TEMP/smoke-configs.json"
|
||||
|
||||
# Seed (master pushes + the weekday cron) writes the master-scoped
|
||||
# ccache that PR runs restore; PRs never save.
|
||||
- name: Save ccache
|
||||
if: github.event_name != 'pull_request' && steps.merge_check.outputs.skip != 'true'
|
||||
uses: actions/cache/save@v5
|
||||
with:
|
||||
path: ~/.cache/ccache
|
||||
key: smoke-ccache-${{ github.ref_name }}-${{ github.sha }}
|
||||
|
||||
- name: ccache stats
|
||||
if: always() && steps.merge_check.outputs.skip != 'true'
|
||||
run: ccache -s || true
|
||||
@@ -164,6 +180,7 @@ jobs:
|
||||
if: failure() && steps.merge_check.outputs.skip != 'true'
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: smoke-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -63,6 +63,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: build-essential autoconf libtool pkg-config clang libc++-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -63,6 +63,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: libcppunit-dev
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Download lib
|
||||
uses: actions/download-artifact@v7
|
||||
|
||||
@@ -7,12 +7,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '15 7 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the STM32 software simulator (https://github.com/wolfSSL/simulators,
|
||||
# STM32Sim/ subdirectory) and run the wolfCrypt test suite on emulated
|
||||
# STM32H753 (Cortex-M7), STM32U585 (Cortex-M33), and STM32MP135 (Cortex-A7)
|
||||
@@ -74,6 +83,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build stm32sim-wolfcrypt image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -82,8 +95,11 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: stm32sim-wolfcrypt:ci
|
||||
cache-from: type=gha,scope=stm32sim
|
||||
cache-to: type=gha,mode=max,scope=stm32sim
|
||||
# Per-chip cache tag: H753/U585 share an image but MP135's context is
|
||||
# sed-patched, and a per-chip tag also keeps the weekend writers from
|
||||
# racing on one ref.
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-${{ matrix.chip_label }}
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-{0},mode=max', matrix.chip_label) || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests on STM32${{ matrix.chip_label }}
|
||||
run: |
|
||||
|
||||
@@ -7,12 +7,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '30 6 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the STSAFE-A120 software simulator (https://github.com/wolfSSL/simulators,
|
||||
# STSAFEA120Sim/ subdirectory), build wolfSSL against STMicro's STSELib +
|
||||
# simulator bridge, and run the wolfCrypt STSAFE-A120 test binary against the
|
||||
@@ -82,6 +91,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build wolfCrypt-STSAFE-A120 test image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -90,8 +103,8 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: wolfssl-stsafe-a120-sim:ci
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120,mode=max' || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests against simulator
|
||||
run: docker run --rm wolfssl-stsafe-a120-sim:ci
|
||||
|
||||
@@ -46,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: build-essential autoconf automake libtool jq psmisc
|
||||
ghcr-debs-tag: ubuntu-24.04-full
|
||||
|
||||
- name: Pull TLS-Anvil Docker image
|
||||
run: docker pull ghcr.io/tls-attacker/tlsanvil:latest
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '44 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -37,6 +42,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -44,6 +50,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: trackmemory
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 250M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -93,6 +100,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/trackmemory-configs.json"
|
||||
|
||||
@@ -104,6 +112,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: trackmemory-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -7,12 +7,21 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
||||
# cache that PR runs read (cache-to below is gated to those two events).
|
||||
schedule:
|
||||
- cron: '45 6 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
# Build the TROPIC01 software simulator (https://github.com/wolfSSL/simulators,
|
||||
# TROPIC01Sim/ subdirectory), build wolfSSL --with-tropic01 against libtropic
|
||||
# v0.1.0 + the simulator's TCP HAL, and run Tropic Square's wolfssl-test app
|
||||
@@ -74,6 +83,10 @@ jobs:
|
||||
|
||||
- uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
- name: Build wolfCrypt-TROPIC01 test image
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
@@ -82,8 +95,8 @@ jobs:
|
||||
push: false
|
||||
load: true
|
||||
tags: wolfssl-tropic01-sim:ci
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:tropic01
|
||||
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:tropic01,mode=max' || '' }}
|
||||
|
||||
- name: Run wolfCrypt tests against simulator
|
||||
run: docker run --rm wolfssl-tropic01-sim:ci
|
||||
|
||||
@@ -84,6 +84,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: ${{ matrix.platform.id }}-${{ matrix.thread.id }}-${{ matrix.library.id }}
|
||||
path: |
|
||||
build/**
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '48 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -33,6 +38,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential gcc-multilib
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -40,6 +46,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: wconversion
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 300M
|
||||
|
||||
# The JSON list below is the former runner-per-config matrix. These
|
||||
@@ -140,6 +147,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
"$RUNNER_TEMP/wconversion-configs.json"
|
||||
|
||||
- name: ccache stats
|
||||
@@ -150,6 +158,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: wconversion-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -314,6 +314,7 @@ jobs:
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: renode-multimem-smallstack-results
|
||||
path: wolfboot/test_results/
|
||||
|
||||
@@ -422,6 +423,7 @@ jobs:
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: renode-multimem-smallstack-fastmath-results
|
||||
path: wolfboot/test_results/
|
||||
|
||||
@@ -530,5 +532,6 @@ jobs:
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: renode-multimem-smallstack-noasm-results
|
||||
path: wolfboot/test_results/
|
||||
|
||||
@@ -7,6 +7,11 @@ on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
branches: [ '*' ]
|
||||
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
||||
# restore: re-runs --build-only (compile only, no tests) on the
|
||||
# default branch. PR runs are read-only (see ccache-setup).
|
||||
schedule:
|
||||
- cron: '52 10 * * 1-5'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -48,6 +53,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: autoconf automake libtool build-essential bubblewrap
|
||||
ghcr-debs-tag: ubuntu-24.04-minimal
|
||||
|
||||
# ccache via the cross-platform composite; the script passes the
|
||||
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
||||
@@ -55,6 +61,7 @@ jobs:
|
||||
uses: ./.github/actions/ccache-setup
|
||||
with:
|
||||
workflow-id: wolfsm
|
||||
read-only: ${{ github.event_name == 'pull_request' }}
|
||||
max-size: 200M
|
||||
|
||||
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
||||
@@ -88,6 +95,7 @@ jobs:
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
||||
--private-dir=certs \
|
||||
"$RUNNER_TEMP/wolfsm-configs.json"
|
||||
|
||||
@@ -99,6 +107,7 @@ jobs:
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
retention-days: 7
|
||||
name: wolfsm-logs
|
||||
path: |
|
||||
build-*/make-check.log
|
||||
|
||||
@@ -41,6 +41,7 @@ jobs:
|
||||
uses: ./.github/actions/install-apt-deps
|
||||
with:
|
||||
packages: zip bridge-utils uml-utilities git cmake ninja-build gperf ccache dfu-util device-tree-compiler wget python3-dev python3-pip python3-setuptools python3-tk python3-wheel xz-utils file make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc gcovr git git-core gnupg gperf gtk-sharp3 help2man iproute2 lcov libcairo2-dev libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make net-tools ninja-build openssh-client parallel pkg-config python3-dev python3-pip python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo texinfo unzip wget ovmf xz-utils
|
||||
ghcr-debs-tag: ubuntu-22.04-full
|
||||
|
||||
- name: Setup cmake version
|
||||
uses: jwlawson/actions-setup-cmake@v2
|
||||
|
||||
Reference in New Issue
Block a user