Merge pull request #10685 from julek-wolfssl/ci-cache-offload

CI: offload ccache/apt/buildx caches off the GitHub Actions cache
This commit is contained in:
David Garske
2026-06-15 18:35:12 -07:00
committed by GitHub
58 changed files with 757 additions and 26 deletions
+40 -1
View File
@@ -4,7 +4,9 @@ description: >
directory from a previous run, and prepend the ccache compiler-symlink
dir to PATH. Subsequent gcc/cc/g++/c++/clang invocations are
transparently intercepted by ccache, so no other workflow step needs to
change.
change. On scheduled (cron) runs the cache is reseeded from clean
compiles (CCACHE_RECACHE) instead of only being updated incrementally,
so it can't drift indefinitely.
inputs:
workflow-id:
@@ -21,6 +23,15 @@ inputs:
description: 'Per-job ccache max size (passed to ccache -M).'
required: false
default: '500M'
read-only:
description: >
When 'true', restore the cache but do NOT save it (no post-job
upload). Callers should set this to the result of the expression
github.event_name == 'pull_request' so PR runs consume the shared
cache read-only - no per-PR entries, no churn - while scheduled/push
runs (read-only false) refresh it.
required: false
default: 'false'
runs:
using: 'composite'
@@ -41,7 +52,10 @@ runs:
exit 1
fi
# read-only=false (default): restore + post-job save (the run_id in the
# key never hits, so it always saves its contribution).
- name: Restore + save ccache
if: inputs.read-only != 'true'
uses: actions/cache@v5
with:
path: ~/.ccache
@@ -52,6 +66,19 @@ runs:
restore-keys: |
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-
# read-only=true: restore the shared cache but never upload (PR runs).
- name: Restore ccache (read-only)
if: inputs.read-only == 'true'
uses: actions/cache/restore@v5
with:
path: ~/.ccache
# Same key shape as the save branch, for symmetry. This branch never
# saves, so the run_id/run_attempt primary key is never an exact hit -
# the restore-keys below always supply the most recent seeded cache.
key: ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-${{ github.run_id }}-${{ github.run_attempt }}
restore-keys: |
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-
ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-
- name: Configure ccache and PATH
shell: bash
@@ -76,6 +103,18 @@ runs:
echo "$CCACHE_LIBEXEC" >> "$GITHUB_PATH"
echo "CCACHE_DIR=$HOME/.ccache" >> "$GITHUB_ENV"
# On the scheduled (cron) refresh, force every compile to miss the
# cache and re-store a fresh result (CCACHE_RECACHE still writes, it
# just skips lookups). This reseeds the shared cache from clean
# compiles instead of only layering deltas onto whatever accumulated,
# so a bad/stale entry can't live forever. The cache is still saved
# (read-only is false on schedule), and PR/push runs are unaffected -
# they keep their warm hits. Cost: the scheduled jobs recompile fully.
- name: Force fresh compiles on scheduled reseed
if: github.event_name == 'schedule'
shell: bash
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
- name: Show ccache stats (initial)
shell: bash
run: ccache -s
+63 -5
View File
@@ -20,11 +20,65 @@ inputs:
description: 'Cache apt archives (disable for dynamic package names)'
required: false
default: 'true'
ghcr-debs-tag:
description: >
Tag of a prebuilt .deb bundle published to
ghcr.io/<owner>/wolfssl-ci-debs by the ci-deps-image workflow
(e.g. "ubuntu-24.04-minimal"). When set, the packages are installed
offline from that bundle and the apt cache path below is skipped; on
that happy path the apt mirror is not contacted. The offline install
is all-or-nothing (a single --no-download install of the whole set),
so any failure - bundle missing, not public, or not covering every
requested package - falls back to the apt path. Always safe to set;
leave empty to use apt only.
required: false
default: ''
runs:
using: 'composite'
steps:
# Preferred path: install from a prebuilt .deb bundle pulled from ghcr,
# entirely offline (--no-download), so a flaky/timing-out apt mirror
# cannot break the build. Best-effort: on any failure we leave
# "satisfied" unset and the apt steps below run unchanged. The bundle
# image must be PUBLIC so anonymous `docker pull` works (including from
# fork PRs whose GITHUB_TOKEN cannot read private packages).
- name: Install from ghcr .deb bundle (offline)
id: ghcr
if: inputs.ghcr-debs-tag != ''
shell: bash
run: |
set -u
command -v docker >/dev/null 2>&1 || { echo "::notice::docker unavailable; using apt"; exit 0; }
# Hardcode the upstream owner: the bundle is only ever published under
# ghcr.io/wolfssl by ci-deps-image (gated to the wolfssl org), so fork
# PRs read the public upstream image too rather than a nonexistent
# ghcr.io/<fork>/wolfssl-ci-debs.
IMG="ghcr.io/wolfssl/wolfssl-ci-debs:${{ inputs.ghcr-debs-tag }}"
if ! docker pull -q "$IMG" >/dev/null 2>&1; then
echo "::notice::ghcr bundle $IMG unavailable; using apt"
exit 0
fi
cid=$(docker create "$IMG" 2>/dev/null) || { echo "::notice::cannot open bundle; using apt"; exit 0; }
rm -rf "$RUNNER_TEMP/ghcr-debs"; mkdir -p "$RUNNER_TEMP/ghcr-debs"
docker cp "$cid:/debs/." "$RUNNER_TEMP/ghcr-debs/" >/dev/null 2>&1 || true
docker rm "$cid" >/dev/null 2>&1 || true
ls "$RUNNER_TEMP"/ghcr-debs/*.deb >/dev/null 2>&1 || { echo "::notice::bundle had no .debs; using apt"; exit 0; }
sudo cp "$RUNNER_TEMP"/ghcr-debs/*.deb /var/cache/apt/archives/
NO_REC=""
if [ "${{ inputs.no-install-recommends }}" = "true" ]; then
NO_REC="--no-install-recommends"
fi
# --no-download forbids any network fetch: if the bundle is missing
# a package this fails cleanly (nothing installed) and we fall back.
if sudo DEBIAN_FRONTEND=noninteractive apt-get install -y $NO_REC --no-download ${{ inputs.packages }}; then
echo "satisfied=true" >> "$GITHUB_OUTPUT"
echo "Installed offline from $IMG: ${{ inputs.packages }}"
else
echo "::notice::offline install incomplete for $IMG; using apt"
fi
- name: Compute cache key
if: inputs.cache == 'true'
if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
id: cache-key
shell: bash
run: |
@@ -35,7 +89,7 @@ runs:
echo "restore-key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-" >> $GITHUB_OUTPUT
- name: Restore apt cache
if: inputs.cache == 'true'
if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
id: apt-cache
uses: actions/cache/restore@v5
with:
@@ -44,7 +98,7 @@ runs:
restore-keys: ${{ steps.cache-key.outputs.restore-key }}
- name: Pre-seed apt archives from cache
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true'
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true' && steps.ghcr.outputs.satisfied != 'true'
shell: bash
run: |
if [ -d ~/apt-cache ] && ls ~/apt-cache/*.deb >/dev/null 2>&1; then
@@ -53,6 +107,7 @@ runs:
fi
- name: Install packages
if: steps.ghcr.outputs.satisfied != 'true'
shell: bash
env:
APT_CACHE_HIT: ${{ steps.apt-cache.outputs.cache-hit }}
@@ -90,8 +145,11 @@ runs:
DELAY=$((DELAY * 2))
done
# PR runs never write the apt cache (no churn); only push/schedule runs
# refresh it. The make-check family does not need it anyway - it installs
# from the ghcr bundle above.
- name: Collect .deb files for cache
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit != 'true'
if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
shell: bash
run: |
mkdir -p ~/apt-cache
@@ -99,7 +157,7 @@ runs:
echo "Cached $(ls ~/apt-cache/*.deb 2>/dev/null | wc -l) .deb files"
- name: Save apt cache
if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit != 'true'
if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
uses: actions/cache/save@v5
with:
path: ~/apt-cache
@@ -0,0 +1,80 @@
# make-check family + interop apt packages for ubuntu-22.04 (the '-full'
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-22.04-full). Superset of
# -minimal; interop workflows install their subset offline from it.
# Keep sorted; add a package when an interop workflow adds one.
autoconf
automake
bison
bridge-utils
build-essential
ca-certificates
cargo
ccache
chrpath
cmake
cpio
crossbuild-essential-arm64
crossbuild-essential-armel
crossbuild-essential-armhf
crossbuild-essential-riscv64
device-tree-compiler
dfu-util
diffstat
dos2unix
doxygen
file
flex
g++
g++-multilib
gawk
gcc
gcc-multilib
gcovr
git
git-core
gnupg
gperf
gtk-sharp3
help2man
iproute2
lcov
libcairo2-dev
libglib2.0-dev
libgtk2.0-0
liblocale-gettext-perl
libmagic1
libncurses5-dev
libpcap-dev
libpopt0
libsdl1.2-dev
libsdl2-dev
libssl-dev
libtool
libtool-bin
locales
make
net-tools
ninja-build
openssh-client
ovmf
parallel
pkg-config
python-is-python3
python3-dev
python3-pip
python3-ply
python3-setuptools
python3-tk
python3-wheel
qemu-kvm
qemu-user
rsync
socat
srecord
sudo
texinfo
uml-utilities
unzip
wget
xz-utils
zip
@@ -0,0 +1,12 @@
# make-check family apt packages for ubuntu-22.04 (the '-minimal'
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-22.04-minimal). UNION of
# every family workflow's list; superset is fine. Keep sorted.
autoconf
automake
build-essential
crossbuild-essential-arm64
crossbuild-essential-armel
crossbuild-essential-armhf
crossbuild-essential-riscv64
libtool
qemu-user
@@ -0,0 +1,94 @@
# make-check family + interop apt packages for ubuntu-24.04 (the '-full'
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-24.04-full). Superset of
# -minimal; interop workflows install their subset offline from it.
# Keep sorted; add a package when an interop workflow adds one.
apache2
apache2-dev
autoconf
autoconf-archive
automake
autopoint
bubblewrap
build-essential
ccache
clang
clang-14
clang-19
cmake
g++-10
g++-11
g++-12
g++-9
gcc-10
gcc-11
gcc-12
gcc-9
gcc-multilib
gettext
gyp
jq
krb5-admin-server
krb5-kdc
krb5-otp
libbz2-dev
libc++-dev
libcap-dev
libcap-ng-dev
libcmocka-dev
libcppunit-dev
libcunit1
libcunit1-dev
libcunit1-doc
libcurl4-openssl-dev
libdb5.3-dev
libev-dev
libevent-2.1-7
libevent-dev
libffi-dev
libgdbm-dev
libgtest-dev
libidn2-dev
libio-socket-ssl-perl
libjansson-dev
libkrb5-dev
liblz4-dev
liblzma-dev
liblzo2-dev
libncursesw5-dev
libnghttp2-dev
libnl-genl-3-200
libnl-genl-3-dev
libnss-wrapper
libnss3-dev
libp11-dev
libpam-dev
libpam0g-dev
libpcre2-dev
libpsl-dev
libpsl5
libreadline-dev
librtlsdr-dev
libsecret-1-dev
libsocket-wrapper
libsqlite3-dev
libssl-dev
libtool
liburcu-dev
libuv1-dev
linux-libc-dev
make
man2html
meson
mono-complete
nghttp2
ninja-build
pkg-config
pkgconf
psmisc
python3-docutils
python3-impacket
python3-psutil
shellcheck
uuid-dev
valgrind
zlib1g-dev
@@ -0,0 +1,20 @@
# make-check family apt packages for ubuntu-24.04 (the '-minimal'
# bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-24.04-minimal). UNION of
# every family workflow's list; superset is fine. Keep sorted.
autoconf
automake
bubblewrap
build-essential
ccache
clang-14
clang-19
g++-10
g++-11
g++-12
g++-9
gcc-10
gcc-11
gcc-12
gcc-9
gcc-multilib
libtool
+13
View File
@@ -468,9 +468,22 @@ def main() -> int:
help="give each build dir a private copy of this "
"symlinked source directory before make check, for "
"tests that write into it (repeatable)")
p.add_argument("--build-only", action="store_true",
help="build every config but skip the make-check phase "
"and any post-build \"run\" commands: the compile "
"still populates ccache, which is the point when "
"seeding a shared cache on a schedule")
opts = p.parse_args()
all_configs = load_configs(opts, p.error)
if opts.build_only:
# Pure build: drop the check phase (and post-build "run" steps) for
# every config. The compile alone fully populates ccache, so a
# scheduled --build-only pass on the default branch warms the
# shared cache that PR runs restore, without spending time on tests.
for cfg in all_configs:
cfg.check = False
cfg.run = []
selected = all_configs
if opts.configs:
by_name = {cfg.name: cfg for cfg in all_configs}
+1
View File
@@ -61,6 +61,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: valgrind
ghcr-debs-tag: ubuntu-24.04-full
- name: Run Ada wrapper tests (valgrind)
working-directory: ./wrapper/Ada/tests
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '8 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -35,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -42,6 +48,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: async
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 250M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -83,6 +90,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/async-configs.json"
@@ -94,6 +102,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: async-logs
path: |
build-*/make-check.log
+15 -2
View File
@@ -7,12 +7,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '0 6 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the ATECC608 software simulator (https://github.com/wolfSSL/simulators,
# ATECC608Sim/ subdirectory), build wolfSSL against cryptoauthlib + the
# simulator's TCP HAL, and run the wolfCrypt ATECC608 test binary against the
@@ -76,6 +85,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build wolfCrypt-ATECC608 test image
uses: docker/build-push-action@v7
with:
@@ -84,8 +97,8 @@ jobs:
push: false
load: true
tags: wolfssl-atecc608-sim:ci
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:atecc608
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:atecc608,mode=max' || '' }}
- name: Run wolfCrypt tests against simulator
run: docker run --rm wolfssl-atecc608-sim:ci
+1
View File
@@ -71,6 +71,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev liburcu-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout OSP
uses: actions/checkout@v5
+1
View File
@@ -34,6 +34,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential
ghcr-debs-tag: ubuntu-24.04-minimal
- name: autogen
run: ./autogen.sh
+1
View File
@@ -41,6 +41,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: shellcheck
ghcr-debs-tag: ubuntu-24.04-full
- name: Collect files to check
id: files
+116
View File
@@ -0,0 +1,116 @@
name: CI deps image
# Builds the prebuilt apt .deb bundles that the make-check family (the
# -minimal tags) and the interop workflows (the -full tags, a superset)
# install offline (see .github/actions/install-apt-deps, input
# ghcr-debs-tag). Each bundle holds the .debs for a package list in
# .github/ci-deps/ - every package plus the dependencies not already on the
# matching runner image, so it is tied to that runner rather than being a
# portable, self-contained closure - published to
# ghcr.io/<owner>/wolfssl-ci-debs:<tag>.
#
# Why: the apt mirror times out often enough to break PR CI. Resolving the
# closure ONCE here (on master, where a slow mirror only delays this job and
# is retried hard) and pulling it from ghcr on every PR keeps apt off the PR
# critical path entirely. ghcr storage/bandwidth is free for public images
# and is a separate pool from the 10 GB Actions cache.
#
# ONE-TIME SETUP: after the first successful run, make the package
# `wolfssl-ci-debs` PUBLIC (repo/org > Packages > Package settings >
# Change visibility). Anonymous `docker pull` then works from fork PRs too;
# until then install-apt-deps simply falls back to apt (no breakage).
on:
schedule:
# Weekend only - refresh the bundles weekly so they track base-image
# security updates. A mid-week package-list change waits for Saturday
# (or run this manually via workflow_dispatch); until then the offline
# install (a single --no-download install of the whole set) fails if any
# requested package is missing from the bundle, and install-apt-deps
# falls back to the full apt path.
- cron: '0 2 * * 6'
workflow_dispatch:
concurrency:
group: ci-deps-image-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: write
jobs:
build:
name: build ${{ matrix.tag }}
if: github.repository_owner == 'wolfssl'
strategy:
fail-fast: false
matrix:
include:
# The .debs must be downloaded on the same Ubuntu version that
# consumes them, so the runner matches the tag. -minimal is the
# make-check family's packages (small, pulled on every PR);
# -full adds the interop workflows' packages (a superset).
- runner: ubuntu-24.04
tag: ubuntu-24.04-minimal
- runner: ubuntu-24.04
tag: ubuntu-24.04-full
- runner: ubuntu-22.04
tag: ubuntu-22.04-minimal
- runner: ubuntu-22.04
tag: ubuntu-22.04-full
runs-on: ${{ matrix.runner }}
timeout-minutes: 20
steps:
- uses: actions/checkout@v5
- name: Resolve and download the .deb closure
shell: bash
run: |
set -euo pipefail
LIST=".github/ci-deps/packages-${{ matrix.tag }}.txt"
mapfile -t PKGS < <(grep -vE '^[[:space:]]*#|^[[:space:]]*$' "$LIST")
echo "Packages (${#PKGS[@]}): ${PKGS[*]}"
export DEBIAN_FRONTEND=noninteractive
rm -rf debs && mkdir -p debs
sudo apt-get clean
# Retry the flaky bits; this is the one place we accept apt risk.
retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; }
retry sudo apt-get update -q
# Download each package's closure independently (requested package +
# any dependency not already installed) without installing. Per
# package, not one resolve of the whole list, so one unbundleable
# package - e.g. a conflict in the big -full union - cannot abort the
# rest; install-apt-deps falls back to apt for anything missing.
skipped=0
for pkg in "${PKGS[@]}"; do
retry sudo apt-get install -y --download-only "$pkg" \
|| { echo "::warning::could not download $pkg"; skipped=$((skipped+1)); }
done
sudo cp /var/cache/apt/archives/*.deb debs/ 2>/dev/null || true
echo "Bundled $(ls debs/*.deb 2>/dev/null | wc -l) .deb files ($(du -sh debs | cut -f1)); ${skipped} skipped"
test -n "$(ls debs/*.deb 2>/dev/null)" # fail if nothing was bundled
- name: Build bundle image
shell: bash
run: |
# Tiny busybox base so the consumer can `docker create`/`docker cp`
# the .debs out; the base size is negligible next to the .debs.
printf 'FROM busybox\nCOPY debs /debs\n' > Dockerfile.debs
docker build -f Dockerfile.debs -t bundle .
- name: Log in to ghcr
shell: bash
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Push to ghcr
shell: bash
run: |
set -euo pipefail
OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
IMG="ghcr.io/$OWNER/wolfssl-ci-debs"
# One mutable tag per bundle variant; each run overwrites it, so the
# package keeps exactly one version per variant (no dated duplicates).
docker tag bundle "$IMG:${{ matrix.tag }}"
docker push "$IMG:${{ matrix.tag }}"
echo "Pushed $IMG:${{ matrix.tag }}"
+1
View File
@@ -20,6 +20,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: cmake autoconf automake libtool
ghcr-debs-tag: ubuntu-24.04-full
# build and install wolfssl via autotools for CMake consumer test
- name: Build wolfssl with autotools
+1
View File
@@ -20,6 +20,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: cmake
ghcr-debs-tag: ubuntu-24.04-full
# build wolfssl
- name: Build wolfssl
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '12 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -35,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -42,6 +48,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: cryptocb-only
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 200M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -216,6 +223,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/cryptocb-only-configs.json"
@@ -227,6 +235,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: cryptocb-only-logs
path: |
build-*/make-check.log
+1
View File
@@ -60,6 +60,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: nghttp2 libpsl5 libpsl-dev python3-impacket apache2 apache2-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+1
View File
@@ -64,6 +64,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: krb5-kdc krb5-otp libkrb5-dev libsocket-wrapper libnss-wrapper krb5-admin-server libdb5.3-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '16 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -35,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -42,6 +48,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: disable-pk-algs
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 150M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -124,6 +131,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/disable-pk-algs-configs.json"
@@ -135,6 +143,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: disable-pk-algs-logs
path: |
build-*/make-check.log
+14 -2
View File
@@ -9,12 +9,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '30 7 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
jobs:
build_library:
name: Compile libwolfssl.so
@@ -54,6 +63,9 @@ jobs:
steps:
- uses: actions/checkout@v5
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- uses: actions/download-artifact@v7
with:
name: openwrt-libwolfssl.so
@@ -68,5 +80,5 @@ jobs:
push: false
tags: openwrt-test:latest
build-args: DOCKER_BASE_CONTAINER=openwrt/rootfs:x86-64-${{ matrix.release }}
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:openwrt-${{ matrix.release }}
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:openwrt-{0},mode=max', matrix.release) || '' }}
+1
View File
@@ -34,6 +34,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential
ghcr-debs-tag: ubuntu-24.04-minimal
- name: Bootstrap
run: ./autogen.sh
+1
View File
@@ -73,6 +73,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: build-essential autoconf libtool pkg-config cmake clang libc++-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+1
View File
@@ -60,6 +60,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libpcre2-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+1
View File
@@ -61,6 +61,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libreadline-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
with:
+1
View File
@@ -65,6 +65,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libgtest-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+1
View File
@@ -77,6 +77,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libevent-dev libevent-2.1-7 automake pkg-config make libio-socket-ssl-perl
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout memcached
uses: actions/checkout@v5
+1
View File
@@ -40,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: mono-complete
ghcr-debs-tag: ubuntu-24.04-full
- name: Copy wolfSSL.dll to C# wrapper directory
run: |
+1
View File
@@ -76,6 +76,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make python3-psutil
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout mosquitto
uses: actions/checkout@v5
+1
View File
@@ -76,6 +76,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool pkg-config gettext libidn2-dev libsecret-1-dev autopoint
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout msmtp
uses: actions/checkout@v5
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '20 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,6 +38,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential crossbuild-essential-arm64 crossbuild-essential-armhf crossbuild-essential-riscv64 crossbuild-essential-armel qemu-user
ghcr-debs-tag: ubuntu-22.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -40,6 +46,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: multi-arch
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 500M
# NOTE: the old runner-per-config matrix combined an "include" list
@@ -246,6 +253,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
"$RUNNER_TEMP/multi-arch-configs.json"
- name: ccache stats
@@ -256,6 +264,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: multi-arch-logs
path: |
build-*/make-check.log
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '24 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,6 +38,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential gcc-9 g++-9 gcc-10 g++-10 gcc-11 g++-11 gcc-12 g++-12 clang-14 clang-19
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -40,6 +46,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: multi-compiler
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 500M
# One entry per compiler (the former one-runner-per-compiler matrix):
@@ -89,6 +96,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
"$RUNNER_TEMP/multi-compiler-configs.json"
- name: ccache stats
@@ -99,6 +107,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: multi-compiler-logs
path: |
build-*/make-check.log
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '28 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,6 +38,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -40,6 +46,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: no-malloc
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 100M
# The JSON list below is the former runner-per-config matrix. These
@@ -71,6 +78,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
"$RUNNER_TEMP/no-malloc-configs.json"
- name: ccache stats
@@ -81,6 +89,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: no-malloc-logs
path: |
build-*/make-check.log
+2
View File
@@ -45,6 +45,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: gyp ninja-build
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout nss
if: steps.cache.outputs.cache-hit != 'true'
@@ -88,6 +89,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: gyp ninja-build
ghcr-debs-tag: ubuntu-24.04-full
- name: Checkout nss (fallback on cache miss)
if: steps.cache.outputs.cache-hit != 'true'
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '32 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -35,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -42,6 +48,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: opensslcoexist
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 150M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -72,6 +79,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/opensslcoexist-configs.json"
@@ -83,6 +91,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: opensslcoexist-logs
path: |
build-*/make-check.log
+1
View File
@@ -69,6 +69,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200
ghcr-debs-tag: ubuntu-24.04-full
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
+39 -2
View File
@@ -16,6 +16,13 @@ on:
paths-ignore:
- '**/*.md'
- 'doc/**'
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore: the
# linux and macOS jobs re-run --build-only (compile only, no tests) on the
# default branch, where their ccache writes are visible to every PR. Only
# Windows is skipped on schedule (see its job `if`) - seeding the linux and
# macOS shards is where the cold-cache cost lives.
schedule:
- cron: '0 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -68,6 +75,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap ccache
ghcr-debs-tag: ubuntu-24.04-minimal
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
@@ -81,8 +89,11 @@ jobs:
- name: Pin ccache directory
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
# PRs restore the cache the weekday seed writes but never save it, so
# PR runs add no per-shard ccache entries to the Actions cache. The
# seed (schedule) saves below.
- name: Restore ccache
uses: actions/cache@v5
uses: actions/cache/restore@v5
with:
path: ~/.cache/ccache
# Per-shard cache lineage: each shard compiles a distinct config
@@ -94,6 +105,13 @@ jobs:
os-check-linux-ccache-${{ matrix.shard }}-
os-check-linux-ccache-
# On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the
# saved master ccache is reseeded from scratch rather than only
# accumulating deltas. PR/push runs leave it unset and keep their warm hits.
- name: Force fresh compiles on scheduled reseed
if: github.event_name == 'schedule'
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
- name: autogen
run: |
ccache -z
@@ -380,10 +398,20 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
--private-dir=certs "$RUNNER_TEMP/os-check-configs.json"
# Seed runs (schedule) refresh the master-scoped ccache that PR runs
# restore above; PR/push runs never save, so PRs add nothing.
- name: Save ccache (seed only)
if: github.event_name == 'schedule'
uses: actions/cache/save@v5
with:
path: ~/.cache/ccache
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.ref_name }}-${{ github.sha }}
- name: ccache stats
if: always()
run: ccache -s || true
@@ -392,6 +420,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: os-check-linux-logs-${{ matrix.shard }}
path: |
build-*/make-check.log
@@ -413,6 +442,9 @@ jobs:
# macos-apple-native-cert-validation.yml workflow.
make_check_macos:
name: make check macos
# Runs on PRs/pushes and on the weekday ccache-seed cron, where it
# --build-only-seeds the macOS ccache (like the linux shards). Only
# Windows is skipped on schedule (no ccache to seed).
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: macos-latest
# Serial checks: roughly the sum of the per-config minutes plus
@@ -442,6 +474,8 @@ jobs:
with:
workflow-id: os-check-macos
max-size: 500M
# PRs read the weekday-seeded macOS ccache; only the seed saves.
read-only: ${{ github.event_name == 'pull_request' }}
# Same JSON config format as make_check_linux above; "minutes" only
# orders the serial schedule here (longest first).
@@ -478,6 +512,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--threads 1 --cc= \
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
--private-dir=certs "$RUNNER_TEMP/os-check-macos-configs.json"
@@ -490,6 +525,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: os-check-macos-logs
path: |
build-*/make-check.log
@@ -499,7 +535,8 @@ jobs:
windows_build:
name: Windows Build Test
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
# Skipped on the weekday ccache-seed cron: no ccache to seed here.
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'schedule') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: windows-latest
strategy:
fail-fast: false
+1
View File
@@ -62,6 +62,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libpam-dev ninja-build meson
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+17 -2
View File
@@ -6,12 +6,21 @@ on:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '0 7 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the PIC32MZ software simulator (https://github.com/wolfSSL/simulators,
# PIC32MZSim/ subdirectory) and run the wolfCrypt test suite on emulated
# PIC32MZ EC (no FPU, CE ignores OUT_SWAP) and EF (FPU + OUT_SWAP) parts,
@@ -67,6 +76,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build ${{ matrix.image_tag }} image
uses: docker/build-push-action@v7
with:
@@ -75,8 +88,10 @@ jobs:
push: false
load: true
tags: ${{ matrix.image_tag }}
cache-from: type=gha,scope=${{ matrix.cache_scope }}
cache-to: type=gha,mode=max,scope=${{ matrix.cache_scope }}
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:${{ matrix.cache_scope }}
# Write only on the weekend cron, and only from the EC entry of each
# image, so the two chips that share a scope do not race on the push.
cache-to: ${{ ((github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.chip_label == 'EC') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:{0},mode=max', matrix.cache_scope) || '' }}
- name: Run wolfCrypt tests on PIC32MZ ${{ matrix.chip_label }} (${{ matrix.port_label }})
run: |
+11
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore, by
# re-running --build-only (compile only, no tests) on the default branch.
# PR runs are read-only.
schedule:
- cron: '4 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -39,6 +44,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -48,6 +54,9 @@ jobs:
workflow-id: pq-all
config-hash: shard-${{ matrix.shard }}
max-size: 350M
# PRs read the cache the weekday seed writes; they never
# save, so PR runs add nothing to the Actions cache.
read-only: ${{ github.event_name == 'pull_request' }}
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
@@ -220,6 +229,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
--private-dir=certs \
"$RUNNER_TEMP/pq-all-configs.json"
@@ -232,6 +242,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: pq-all-logs-${{ matrix.shard }}
path: |
build-*/make-check.log
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '36 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -35,6 +40,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -42,6 +48,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: psk
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 100M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -95,6 +102,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/psk-configs.json"
@@ -106,6 +114,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: psk-logs
path: |
build-*/make-check.log
+1
View File
@@ -109,6 +109,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: build-essential autoconf automake autoconf-archive pkgconf libffi-dev libbz2-dev libreadline-dev libsqlite3-dev zlib1g-dev libncursesw5-dev libgdbm-dev libnss3-dev liblzma-dev uuid-dev pkg-config
ghcr-debs-tag: ubuntu-24.04-full
- name: Download wolfSSL
uses: actions/download-artifact@v7
+1
View File
@@ -63,6 +63,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libcurl4-openssl-dev libjansson-dev libp11-dev librtlsdr-dev libcap-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+15 -2
View File
@@ -7,12 +7,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '15 6 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the SE050 software simulator (https://github.com/wolfSSL/simulators,
# SE050Sim/ subdirectory), build wolfSSL against its NXP Plug&Trust SDK +
# simulator bridge, and run the wolfCrypt SE050 test binary against the
@@ -55,6 +64,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build wolfCrypt-SE050 test image
uses: docker/build-push-action@v7
with:
@@ -63,8 +76,8 @@ jobs:
push: false
load: true
tags: wolfssl-se050-sim:ci
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:se050
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:se050,mode=max' || '' }}
- name: Run wolfCrypt tests against simulator
run: docker run --rm wolfssl-se050-sim:ci
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '40 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,6 +38,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -40,6 +46,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: smallstacksize
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 150M
# The JSON list below is the former runner-per-config matrix (the
@@ -118,6 +125,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
"$RUNNER_TEMP/smallstacksize-configs.json"
- name: ccache stats
@@ -128,6 +136,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: smallstacksize-logs
path: |
build-*/make-check.log
+21 -4
View File
@@ -36,9 +36,13 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ master, main ]
# Weekday-morning (10:00 UTC) build-only seed of the master-scoped ccache that PR runs restore
# (in addition to the master pushes above). PR runs are read-only.
schedule:
- cron: '56 10 * * 1-5'
concurrency:
group: smoke-${{ github.workflow }}-${{ github.ref }}
group: smoke-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: true
permissions:
@@ -90,6 +94,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap ccache
ghcr-debs-tag: ubuntu-24.04-minimal
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
@@ -99,15 +104,17 @@ jobs:
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
# ccache's default cache dir (XDG ~/.cache/ccache) is what the
# actions/cache step below saves; pin it explicitly so the two
# actions/cache steps below restore/save; pin it explicitly so the two
# cannot drift apart (e.g. if a later change sets CCACHE_DIR).
- name: Pin ccache directory
if: steps.merge_check.outputs.skip != 'true'
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
# PRs restore the cache the master pushes / weekday seed write, but
# never save it (the save step is gated to non-PR events below).
- name: Restore ccache
if: steps.merge_check.outputs.skip != 'true'
uses: actions/cache@v5
uses: actions/cache/restore@v5
with:
path: ~/.cache/ccache
key: smoke-ccache-${{ github.base_ref || github.ref_name }}-${{ github.sha }}
@@ -153,9 +160,18 @@ jobs:
{"name": "leantls-extra", "configure": ["--enable-leantls", "--enable-session-ticket", "--enable-sni", "--enable-opensslextra"]}
]
EOF
.github/scripts/parallel-make-check.py --cflags=-Werror \
.github/scripts/parallel-make-check.py ${{ github.event_name == 'schedule' && '--build-only' || '' }} --cflags=-Werror \
--private-dir=certs "$RUNNER_TEMP/smoke-configs.json"
# Seed (master pushes + the weekday cron) writes the master-scoped
# ccache that PR runs restore; PRs never save.
- name: Save ccache
if: github.event_name != 'pull_request' && steps.merge_check.outputs.skip != 'true'
uses: actions/cache/save@v5
with:
path: ~/.cache/ccache
key: smoke-ccache-${{ github.ref_name }}-${{ github.sha }}
- name: ccache stats
if: always() && steps.merge_check.outputs.skip != 'true'
run: ccache -s || true
@@ -164,6 +180,7 @@ jobs:
if: failure() && steps.merge_check.outputs.skip != 'true'
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: smoke-logs
path: |
build-*/make-check.log
+1
View File
@@ -63,6 +63,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: build-essential autoconf libtool pkg-config clang libc++-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+1
View File
@@ -63,6 +63,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: libcppunit-dev
ghcr-debs-tag: ubuntu-24.04-full
- name: Download lib
uses: actions/download-artifact@v7
+18 -2
View File
@@ -7,12 +7,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '15 7 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the STM32 software simulator (https://github.com/wolfSSL/simulators,
# STM32Sim/ subdirectory) and run the wolfCrypt test suite on emulated
# STM32H753 (Cortex-M7), STM32U585 (Cortex-M33), and STM32MP135 (Cortex-A7)
@@ -74,6 +83,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build stm32sim-wolfcrypt image
uses: docker/build-push-action@v7
with:
@@ -82,8 +95,11 @@ jobs:
push: false
load: true
tags: stm32sim-wolfcrypt:ci
cache-from: type=gha,scope=stm32sim
cache-to: type=gha,mode=max,scope=stm32sim
# Per-chip cache tag: H753/U585 share an image but MP135's context is
# sed-patched, and a per-chip tag also keeps the weekend writers from
# racing on one ref.
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-${{ matrix.chip_label }}
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-{0},mode=max', matrix.chip_label) || '' }}
- name: Run wolfCrypt tests on STM32${{ matrix.chip_label }}
run: |
+15 -2
View File
@@ -7,12 +7,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '30 6 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the STSAFE-A120 software simulator (https://github.com/wolfSSL/simulators,
# STSAFEA120Sim/ subdirectory), build wolfSSL against STMicro's STSELib +
# simulator bridge, and run the wolfCrypt STSAFE-A120 test binary against the
@@ -82,6 +91,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build wolfCrypt-STSAFE-A120 test image
uses: docker/build-push-action@v7
with:
@@ -90,8 +103,8 @@ jobs:
push: false
load: true
tags: wolfssl-stsafe-a120-sim:ci
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120,mode=max' || '' }}
- name: Run wolfCrypt tests against simulator
run: docker run --rm wolfssl-stsafe-a120-sim:ci
+1
View File
@@ -46,6 +46,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: build-essential autoconf automake libtool jq psmisc
ghcr-debs-tag: ubuntu-24.04-full
- name: Pull TLS-Anvil Docker image
run: docker pull ghcr.io/tls-attacker/tlsanvil:latest
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '44 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -37,6 +42,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -44,6 +50,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: trackmemory
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 250M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -93,6 +100,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/trackmemory-configs.json"
@@ -104,6 +112,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: trackmemory-logs
path: |
build-*/make-check.log
+15 -2
View File
@@ -7,12 +7,21 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '45 6 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the TROPIC01 software simulator (https://github.com/wolfSSL/simulators,
# TROPIC01Sim/ subdirectory), build wolfSSL --with-tropic01 against libtropic
# v0.1.0 + the simulator's TCP HAL, and run Tropic Square's wolfssl-test app
@@ -74,6 +83,10 @@ jobs:
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build wolfCrypt-TROPIC01 test image
uses: docker/build-push-action@v7
with:
@@ -82,8 +95,8 @@ jobs:
push: false
load: true
tags: wolfssl-tropic01-sim:ci
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:tropic01
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:tropic01,mode=max' || '' }}
- name: Run wolfCrypt tests against simulator
run: docker run --rm wolfssl-tropic01-sim:ci
+1
View File
@@ -84,6 +84,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: ${{ matrix.platform.id }}-${{ matrix.thread.id }}-${{ matrix.library.id }}
path: |
build/**
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '48 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,6 +38,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential gcc-multilib
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -40,6 +46,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: wconversion
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 300M
# The JSON list below is the former runner-per-config matrix. These
@@ -140,6 +147,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
"$RUNNER_TEMP/wconversion-configs.json"
- name: ccache stats
@@ -150,6 +158,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: wconversion-logs
path: |
build-*/make-check.log
@@ -314,6 +314,7 @@ jobs:
if: always()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: renode-multimem-smallstack-results
path: wolfboot/test_results/
@@ -422,6 +423,7 @@ jobs:
if: always()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: renode-multimem-smallstack-fastmath-results
path: wolfboot/test_results/
@@ -530,5 +532,6 @@ jobs:
if: always()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: renode-multimem-smallstack-noasm-results
path: wolfboot/test_results/
+9
View File
@@ -7,6 +7,11 @@ on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
# restore: re-runs --build-only (compile only, no tests) on the
# default branch. PR runs are read-only (see ccache-setup).
schedule:
- cron: '52 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -48,6 +53,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
ghcr-debs-tag: ubuntu-24.04-minimal
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
@@ -55,6 +61,7 @@ jobs:
uses: ./.github/actions/ccache-setup
with:
workflow-id: wolfsm
read-only: ${{ github.event_name == 'pull_request' }}
max-size: 200M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
@@ -88,6 +95,7 @@ jobs:
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--private-dir=certs \
"$RUNNER_TEMP/wolfsm-configs.json"
@@ -99,6 +107,7 @@ jobs:
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: wolfsm-logs
path: |
build-*/make-check.log
+1
View File
@@ -41,6 +41,7 @@ jobs:
uses: ./.github/actions/install-apt-deps
with:
packages: zip bridge-utils uml-utilities git cmake ninja-build gperf ccache dfu-util device-tree-compiler wget python3-dev python3-pip python3-setuptools python3-tk python3-wheel xz-utils file make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc gcovr git git-core gnupg gperf gtk-sharp3 help2man iproute2 lcov libcairo2-dev libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make net-tools ninja-build openssh-client parallel pkg-config python3-dev python3-pip python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo texinfo unzip wget ovmf xz-utils
ghcr-debs-tag: ubuntu-22.04-full
- name: Setup cmake version
uses: jwlawson/actions-setup-cmake@v2