Files
wolfssl/.github/workflows/disable-pk-algs.yml
T
Juliusz Sosinowicz a62884599b CI review fixes: JSON validation, log volume, rm -rf, flag spelling
Address the Copilot review:
- parallel-make-check.py: validate "configure" (list of strings) and
  cflags/ldflags (strings) so a malformed entry fails the load instead
  of exploding a string into per-character configure arguments; print
  a single line for passing configs instead of dumping their full
  make-check.log into the CI log (failure dumps unchanged; the logs
  remain in build-<name>/ for the failure artifacts).
- Makefile.am: use rm -rf for the certs/input/quit setup and distclean
  cleanup. A --private-dir run replaces the certs symlink with a
  private directory copy that rm -f cannot remove (verified: make
  distclean in a build dir with a privatized certs/ now succeeds and
  removes it).
- psk.yml, disable-pk-algs.yml: normalize the single-dash tokens
  (-disable-rsa, -disable-ecc, -disable-aescbc, -enable-cryptonly)
  carried verbatim from the old matrices to the canonical double-dash
  form. No coverage change: configure honors single-dash spellings
  (verified -disable-rsa sets NO_RSA with no unrecognized-option
  warning), so these were always in effect; both touched configs
  re-validated end-to-end.

The --cc default stays "ccache gcc": ccache resolves the compiler
through its own masquerade symlinks (verified: no recursion and normal
cache hits with /usr/lib/ccache prepended to PATH), and the explicit
CC= also covers jobs that use ccache without the PATH masquerade.
2026-06-12 09:47:13 +00:00

144 lines
7.2 KiB
YAML

name: disable-pk-algs Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
# All former runner-per-config matrix entries build on one runner via
# .github/scripts/parallel-make-check.py (see os-check.yml for the full
# pattern): each config in its own out-of-tree ("VPATH") build directory
# off one checkout/autogen, checks on a pool of one-per-CPU worker
# threads, longest first. bubblewrap gives every test script its own
# network namespace so concurrent checks cannot collide on TCP/UDP ports
# (do not set AM_BWRAPPED here - that would disable it).
make_check:
name: make check
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
# Generous for a cold ccache; warm reruns finish in a fraction.
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
- name: Set up ccache
uses: ./.github/actions/ccache-setup
with:
workflow-id: disable-pk-algs
max-size: 150M
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
# bwrap --unshare-net (their port-isolation mechanism).
- name: Allow unprivileged user namespaces (for bwrap)
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
# The JSON list below is the former runner-per-config matrix; add new
# configs as new entries (a "comment" key is allowed for notes).
# "minutes" is the expected duration driving longest-first scheduling:
# take it from the Minutes column of a previous run's step summary, or
# omit it for a new config (defaults to 1) and refresh later. The list
# is kept sorted by minutes for readability, but the schedule sorts by
# the values, not list order.
- name: Build and make check all configs (parallel, out-of-tree)
run: |
cat > "$RUNNER_TEMP/disable-pk-algs-configs.json" <<'EOF'
[
{"name": "rsa-dh", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-rsa", "--enable-dh"]},
{"name": "ecc", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-ecc"]},
{"name": "rsa-curve25519", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-rsa", "--enable-curve25519"]},
{"name": "ecc-curve25519", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-ecc", "--enable-curve25519"]},
{"name": "rsa-curve448", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-rsa", "--enable-curve448"]},
{"name": "ecc-curve448", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-ecc", "--enable-curve448"]},
{"name": "curve25519-ed25519", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-curve25519", "--enable-ed25519"]},
{"name": "curve448-ed448", "minutes": 1.2,
"configure": ["--disable-rsa", "--disable-dh", "--disable-ecc",
"--disable-curve25519", "--disable-ed25519", "--disable-curve448",
"--disable-ed448", "--enable-curve448", "--enable-ed448"]},
{"name": "cryptonly-rsa", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-rsa"]},
{"name": "cryptonly-dh", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-dh"]},
{"name": "cryptonly-ecc", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-ecc"]},
{"name": "cryptonly-curve25519", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-curve25519"]},
{"name": "cryptonly-ed25519", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-ed25519"]},
{"name": "cryptonly-curve448", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-curve448"]},
{"name": "cryptonly-ed448", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--disable-rsa", "--disable-dh",
"--disable-ecc", "--disable-curve25519", "--disable-ed25519",
"--disable-curve448", "--disable-ed448", "--enable-ed448"]}
]
EOF
.github/scripts/parallel-make-check.py \
--private-dir=certs \
"$RUNNER_TEMP/disable-pk-algs-configs.json"
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: disable-pk-algs-logs
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore