mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 18:50:50 +02:00
dd2f9d3ab8
The 10 GB, LRU-evicted, PR-scoped Actions cache was being thrashed - the
docker simulator buildx layers (~6 GiB), plus per-PR ccache and apt-archive
writes whose keys never hit - which kept evicting the shared ccache, while
the apt mirror timed out often enough to break PR CI. Move the heavy caches
to ghcr (free, separate pool) and make PR runs read-only against the Actions
cache.
apt dependencies from prebuilt ghcr .deb bundles
- ci-deps-image.yml resolves each package list under .github/ci-deps/ into
its .deb closure and publishes ghcr.io/<owner>/wolfssl-ci-debs:<tag> in
two tiers: <ver>-minimal (make-check family) and <ver>-full (interop
superset), for ubuntu-22.04 and 24.04.
- install-apt-deps gains a ghcr-debs-tag input: pull the bundle and install
offline (--no-download) so the apt mirror is never on the PR critical
path. Any failure (bundle missing/not public/incomplete) falls through to
the existing apt path, so it is always safe to set.
sim-test buildx layers to a shared ghcr registry cache
- the 7 docker simulator workflows switch from cache-to: type=gha to
ghcr.io/wolfssl/wolfssl-sim-cache:<scope>. cache-from reads on every run
(anonymous); cache-to writes only on the weekend cron and manual
workflow_dispatch. Per-distinct-image tags and de-duplicated writers keep
parallel matrix jobs from racing on one ref.
ccache: PRs read, the schedule writes
- ccache-setup gains read-only: PR runs restore the shared master-scoped
cache but never upload; schedule/push runs refresh it. Wired across
os-check (linux + macOS), pq-all, smoke-test and the 12 small make-check
workflows.
- parallel-make-check.py gains --build-only (compile every config, skip the
test phase) so weekday-morning seed crons warm the cache PR runs consume.
artifact retention capped at 7 days on the failure-log/result uploads that
previously defaulted to 90.
ONE-TIME SETUP: after their first publish, make the ghcr packages
wolfssl-ci-debs and wolfssl-sim-cache PUBLIC so anonymous pulls work from PR
(including fork) runs; until then everything falls back cleanly.
110 lines
4.4 KiB
YAML
110 lines
4.4 KiB
YAML
name: STM32 simulator test
|
|
|
|
# START OF COMMON SECTION
|
|
on:
|
|
push:
|
|
branches: [ 'release/**' ]
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
branches: [ '*' ]
|
|
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
|
|
# cache that PR runs read (cache-to below is gated to those two events).
|
|
schedule:
|
|
- cron: '15 7 * * 6'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
# END OF COMMON SECTION
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
# Build the STM32 software simulator (https://github.com/wolfSSL/simulators,
|
|
# STM32Sim/ subdirectory) and run the wolfCrypt test suite on emulated
|
|
# STM32H753 (Cortex-M7), STM32U585 (Cortex-M33), and STM32MP135 (Cortex-A7)
|
|
# hardware. Replaces the previous Renode-based STM32H753 workflow and adds
|
|
# U5/PKA + MP135 (SHA3/SHAKE on HASH1) coverage.
|
|
#
|
|
# Dockerfile.wolfcrypt reads wolfSSL from /opt/wolfssl at runtime via a
|
|
# bind mount, so unlike se050-sim.yml / stsafe-a120-sim.yml no Dockerfile
|
|
# patching is required - we just mount the PR checkout.
|
|
#
|
|
# The simulators repo is pinned via SIMULATORS_REF so the MP135 SHAKE-
|
|
# enabling sed patch below has a known anchor in user_settings.h. Bump
|
|
# the pin when simulators changes are needed.
|
|
|
|
env:
|
|
SIMULATORS_REF: 840da2f4a28a9e3027c127da38d758ded902d926
|
|
|
|
jobs:
|
|
stm32_sim:
|
|
name: wolfCrypt on STM32${{ matrix.chip_label }}
|
|
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- chip_label: H753
|
|
script: run-wolfcrypt-h7.sh
|
|
- chip_label: U585
|
|
script: run-wolfcrypt-u5.sh
|
|
- chip_label: MP135
|
|
script: run-wolfcrypt-mp135.sh
|
|
steps:
|
|
- name: Checkout wolfSSL (PR source)
|
|
uses: actions/checkout@v5
|
|
with:
|
|
path: wolfssl
|
|
|
|
- name: Clone STM32 simulator
|
|
run: |
|
|
git clone https://github.com/wolfSSL/simulators simulators
|
|
cd simulators && git checkout "$SIMULATORS_REF"
|
|
|
|
# The MP135 firmware in the simulators repo currently disables SHAKE
|
|
# in user_settings.h with a comment pointing at the wolfSSL build
|
|
# break that this PR resolves. Once the simulators repo refreshes
|
|
# that file, this patch step becomes a no-op (the grep below will
|
|
# still pass) - drop it then.
|
|
- name: Enable SHAKE in MP135 firmware user_settings.h
|
|
if: matrix.chip_label == 'MP135'
|
|
working-directory: simulators/STM32Sim/firmware/wolfcrypt-test-mp135
|
|
run: |
|
|
sed -i 's|^#define WOLFSSL_SHA3$|#define WOLFSSL_SHA3\n#define WOLFSSL_SHAKE128\n#define WOLFSSL_SHAKE256|' user_settings.h
|
|
# Fail fast if the anchor line drifted - better than silently
|
|
# building with SHAKE off and "passing" without exercising it.
|
|
grep -q '^#define WOLFSSL_SHAKE128$' user_settings.h
|
|
grep -q '^#define WOLFSSL_SHAKE256$' user_settings.h
|
|
|
|
- uses: docker/setup-buildx-action@v4
|
|
|
|
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
|
|
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
|
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
|
|
|
|
- name: Build stm32sim-wolfcrypt image
|
|
uses: docker/build-push-action@v7
|
|
with:
|
|
context: simulators/STM32Sim
|
|
file: simulators/STM32Sim/Dockerfile.wolfcrypt
|
|
push: false
|
|
load: true
|
|
tags: stm32sim-wolfcrypt:ci
|
|
# Per-chip cache tag: H753/U585 share an image but MP135's context is
|
|
# sed-patched, and a per-chip tag also keeps the weekend writers from
|
|
# racing on one ref.
|
|
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-${{ matrix.chip_label }}
|
|
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && format('type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stm32-{0},mode=max', matrix.chip_label) || '' }}
|
|
|
|
- name: Run wolfCrypt tests on STM32${{ matrix.chip_label }}
|
|
run: |
|
|
docker run --rm \
|
|
-v "${{ github.workspace }}/wolfssl:/opt/wolfssl:ro" \
|
|
stm32sim-wolfcrypt:ci \
|
|
${{ matrix.script }}
|