mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 02:00:49 +02:00
dd2f9d3ab8
The 10 GB, LRU-evicted, PR-scoped Actions cache was being thrashed - the
docker simulator buildx layers (~6 GiB), plus per-PR ccache and apt-archive
writes whose keys never hit - which kept evicting the shared ccache, while
the apt mirror timed out often enough to break PR CI. Move the heavy caches
to ghcr (free, separate pool) and make PR runs read-only against the Actions
cache.
apt dependencies from prebuilt ghcr .deb bundles
- ci-deps-image.yml resolves each package list under .github/ci-deps/ into
its .deb closure and publishes ghcr.io/<owner>/wolfssl-ci-debs:<tag> in
two tiers: <ver>-minimal (make-check family) and <ver>-full (interop
superset), for ubuntu-22.04 and 24.04.
- install-apt-deps gains a ghcr-debs-tag input: pull the bundle and install
offline (--no-download) so the apt mirror is never on the PR critical
path. Any failure (bundle missing/not public/incomplete) falls through to
the existing apt path, so it is always safe to set.
sim-test buildx layers to a shared ghcr registry cache
- the 7 docker simulator workflows switch from cache-to: type=gha to
ghcr.io/wolfssl/wolfssl-sim-cache:<scope>. cache-from reads on every run
(anonymous); cache-to writes only on the weekend cron and manual
workflow_dispatch. Per-distinct-image tags and de-duplicated writers keep
parallel matrix jobs from racing on one ref.
ccache: PRs read, the schedule writes
- ccache-setup gains read-only: PR runs restore the shared master-scoped
cache but never upload; schedule/push runs refresh it. Wired across
os-check (linux + macOS), pq-all, smoke-test and the 12 small make-check
workflows.
- parallel-make-check.py gains --build-only (compile every config, skip the
test phase) so weekday-morning seed crons warm the cache PR runs consume.
artifact retention capped at 7 days on the failure-log/result uploads that
previously defaulted to 90.
ONE-TIME SETUP: after their first publish, make the ghcr packages
wolfssl-ci-debs and wolfssl-sim-cache PUBLIC so anonymous pulls work from PR
(including fork) runs; until then everything falls back cleanly.
245 lines
15 KiB
YAML
245 lines
15 KiB
YAML
name: cryptocb-only Tests
|
|
|
|
# START OF COMMON SECTION
|
|
on:
|
|
push:
|
|
branches: [ 'release/**' ]
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
branches: [ '*' ]
|
|
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs
|
|
# restore: re-runs --build-only (compile only, no tests) on the
|
|
# default branch. PR runs are read-only (see ccache-setup).
|
|
schedule:
|
|
- cron: '12 10 * * 1-5'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
# END OF COMMON SECTION
|
|
|
|
jobs:
|
|
# All former runner-per-config matrix entries build on one runner via
|
|
# .github/scripts/parallel-make-check.py (see os-check.yml for the full
|
|
# pattern): each config in its own out-of-tree ("VPATH") build directory
|
|
# off one checkout/autogen, checks on a pool of one-per-CPU worker
|
|
# threads, longest first. bubblewrap gives every test script its own
|
|
# network namespace so concurrent checks cannot collide on TCP/UDP ports
|
|
# (do not set AM_BWRAPPED here - that would disable it).
|
|
make_check:
|
|
name: make check
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: ubuntu-24.04
|
|
# Generous for a cold ccache; warm reruns finish in a fraction.
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
name: Checkout wolfSSL
|
|
|
|
- name: Install dependencies
|
|
uses: ./.github/actions/install-apt-deps
|
|
with:
|
|
packages: autoconf automake libtool build-essential bubblewrap
|
|
ghcr-debs-tag: ubuntu-24.04-minimal
|
|
|
|
# ccache via the cross-platform composite; the script passes the
|
|
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
|
|
- name: Set up ccache
|
|
uses: ./.github/actions/ccache-setup
|
|
with:
|
|
workflow-id: cryptocb-only
|
|
read-only: ${{ github.event_name == 'pull_request' }}
|
|
max-size: 200M
|
|
|
|
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
|
# which would stop the test scripts from re-execing under
|
|
# bwrap --unshare-net (their port-isolation mechanism).
|
|
- name: Allow unprivileged user namespaces (for bwrap)
|
|
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
|
|
|
# The JSON list below is the former runner-per-config matrix (the
|
|
# shared BASE_CONFIG env is folded into every entry); add new configs
|
|
# as new entries. "minutes" drives longest-first scheduling: refresh
|
|
# it from the Minutes column of a previous run's step summary.
|
|
- name: Build and make check all configs (parallel, out-of-tree)
|
|
run: |
|
|
cat > "$RUNNER_TEMP/cryptocb-only-configs.json" <<'EOF'
|
|
[
|
|
{"name": "ecc", "minutes": 2,
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_ECC: strips software ECC; swdev provides the software path via cryptocb. FP_ECC / ECCSI / SAKKE / deterministic-k test / OPENSSL_EXTRA compat layer all reference stripped primitives directly, so they stay off.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC"]},
|
|
{"name": "rsa", "minutes": 2,
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_RSA: strips software RSA; swdev provides the software path via cryptocb.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_RSA"]},
|
|
{"name": "sha256", "minutes": 2,
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_SHA256: strips software SHA-256; swdev provides the software path via cryptocb.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA256"]},
|
|
{"name": "sha512", "minutes": 2,
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_SHA512: strips software SHA-512 family (SHA-384, SHA-512/224, SHA-512/256, SHA-512); swdev handles every variant explicitly via cryptocb.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512"]},
|
|
{"name": "sha512-via-general", "minutes": 2,
|
|
"comment": "Same as sha512 but tells swdev to refuse the SHA-384 / SHA-512/224 / SHA-512/256 variant callbacks (WOLFSSL_SWDEV_SHA512_GENERAL_ONLY). That forces the cryptocb dispatcher's fallback-to-plain-SHA-512-with-truncation path. The sha512 entry above instead has swdev handle every variant end-to-end, so the dispatcher fallback is otherwise uncovered.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLFSSL_SWDEV_SHA512_GENERAL_ONLY"]},
|
|
{"name": "aes", "minutes": 2,
|
|
"comment": "WOLF_CRYPTO_CB_ONLY_AES: strips software AES; swdev provides the software path via cryptocb.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13", "CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES"]},
|
|
{"name": "aes-gcm-via-ecb", "minutes": 2,
|
|
"comment": "Same as aes but tells swdev to refuse AES-GCM (SWDEV_AES_ONLYECB). That forces the parent's CB_ONLY_AES host-side GCM software path: GHASH runs on the host while AES-CTR blocks dispatch back through cryptocb ECB. The aes entry instead has swdev handle GCM end-to-end, so the host-side GCM path is otherwise uncovered.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_AES -DSWDEV_AES_ONLYECB"]},
|
|
{"name": "all", "minutes": 2,
|
|
"comment": "All five ONLY_* macros at once: every supported software primitive is stripped and dispatched through cryptocb. Catches any cross-algorithm call that a single-strip entry would still resolve via the remaining software paths.",
|
|
"configure": ["--enable-swdev", "--enable-cryptocb", "--enable-ecc",
|
|
"--enable-rsa", "--enable-dh", "--enable-aesgcm",
|
|
"--enable-aesccm", "--enable-aesctr", "--enable-aescfb",
|
|
"--enable-aeskeywrap", "--enable-aessiv", "--enable-aesofb",
|
|
"--enable-aesxts", "--enable-camellia", "--enable-chacha",
|
|
"--enable-poly1305", "--enable-sha", "--enable-sha3",
|
|
"--enable-shake128", "--enable-shake256", "--enable-blake2",
|
|
"--enable-blake2s", "--enable-hkdf", "--enable-hashdrbg",
|
|
"--enable-hashflags", "--enable-curve25519", "--enable-ed25519",
|
|
"--enable-curve448", "--enable-ed448", "--enable-mlkem",
|
|
"--enable-dilithium", "--enable-scrypt", "--enable-pwdbased",
|
|
"--enable-pkcs7", "--enable-pkcs12", "--enable-certgen",
|
|
"--enable-certreq", "--enable-certext", "--enable-keygen",
|
|
"--enable-asn=all", "--enable-cmac", "--enable-xchacha",
|
|
"--enable-crl", "--enable-ocsp", "--enable-ocspstapling",
|
|
"--enable-ocspstapling2", "--enable-dtls", "--enable-dtls13",
|
|
"--enable-tls13",
|
|
"CPPFLAGS=-DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_SHA512 -DWOLF_CRYPTO_CB_ONLY_AES"]}
|
|
]
|
|
EOF
|
|
.github/scripts/parallel-make-check.py \
|
|
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
|
|
--private-dir=certs \
|
|
"$RUNNER_TEMP/cryptocb-only-configs.json"
|
|
|
|
- name: ccache stats
|
|
if: always()
|
|
run: ccache -s || true
|
|
|
|
- name: Upload logs on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
retention-days: 7
|
|
name: cryptocb-only-logs
|
|
path: |
|
|
build-*/make-check.log
|
|
build-*/test-suite.log
|
|
build-*/config.log
|
|
if-no-files-found: ignore
|