mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 17:10:50 +02:00
12597308de
The two jobs that manage their ccache cache manually rely on ccache's XDG default (~/.cache/ccache) matching the actions/cache path. That holds today, but nothing enforces it: a later change that sets CCACHE_DIR (e.g. adopting the ccache-setup composite, which uses ~/.ccache) would silently decouple the build's cache from the saved/restored directory. Pin CCACHE_DIR explicitly to the cached path so the pairing is visible and cannot drift.
173 lines
7.5 KiB
YAML
173 lines
7.5 KiB
YAML
name: Smoke Test
|
|
|
|
# Fast pre-flight build + make check across common-failure configs derived
|
|
# from the Jenkins PRB top-10 (last 30 days). Intentionally runs on drafts
|
|
# too: this is the gate that protects the rest of CI. Other PR workflows
|
|
# wait for this via .github/actions/wait-for-smoke.
|
|
#
|
|
# The smoke config list lives in the "Build and make check" step below;
|
|
# the generic runner .github/scripts/parallel-make-check.py builds each
|
|
# config in its own out-of-tree ("VPATH") build directory off this single
|
|
# checkout and runs make check across them on a pool of one-per-CPU worker
|
|
# threads, reporting thread/CPU efficiency in the step summary. bubblewrap
|
|
# is installed so the script tests re-exec themselves under bwrap
|
|
# --unshare-net and concurrent checks cannot collide on TCP/UDP ports (do
|
|
# not set AM_BWRAPPED here - that would disable it). Builds go through
|
|
# ccache (cached across runs) to keep the single-runner job fast on warm
|
|
# caches.
|
|
#
|
|
# For pull_request events the workflow tests the POST-MERGE tree:
|
|
# the PR head is checked out, the base branch is merged in, and:
|
|
# * a merge conflict fails the job before any build runs.
|
|
# * if the PR tree is identical to base (no diff), the build is skipped.
|
|
# * otherwise the build runs against the merged tree.
|
|
# This catches stale PRs whose head builds clean but whose merge with
|
|
# current master would break.
|
|
|
|
on:
|
|
push:
|
|
branches: [ master, main ]
|
|
paths-ignore:
|
|
- '**/*.md'
|
|
- 'doc/**'
|
|
- 'AUTHORS'
|
|
- 'LICENSING'
|
|
- 'ChangeLog.md'
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
branches: [ master, main ]
|
|
|
|
concurrency:
|
|
group: smoke-${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
smoke:
|
|
# Only run from the wolfssl org to avoid burning forks' CI minutes.
|
|
if: github.repository_owner == 'wolfssl'
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 60
|
|
env:
|
|
CCACHE_MAXSIZE: 2G
|
|
steps:
|
|
# For PRs we explicitly check out the PR head (not the auto-merge
|
|
# ref) and do the merge ourselves below so we can fail fast on
|
|
# conflicts. For push events we just check out the pushed SHA.
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Merge base into PR head (fail fast on conflict)
|
|
id: merge_check
|
|
if: github.event_name == 'pull_request'
|
|
env:
|
|
BASE_REF: ${{ github.event.pull_request.base.ref }}
|
|
run: |
|
|
set -e
|
|
git config user.email "ci@wolfssl.invalid"
|
|
git config user.name "wolfSSL CI Merge"
|
|
git fetch --no-tags origin "$BASE_REF"
|
|
BASE_SHA=$(git rev-parse FETCH_HEAD)
|
|
if git diff --quiet "$BASE_SHA" HEAD; then
|
|
echo "::notice::PR tree is identical to $BASE_REF; skipping smoke matrix."
|
|
echo "skip=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
if ! git merge --no-ff --no-commit "$BASE_SHA"; then
|
|
echo "::error::Merge conflicts with $BASE_REF - please rebase or merge $BASE_REF into the PR branch before testing."
|
|
git merge --abort || true
|
|
exit 1
|
|
fi
|
|
echo "skip=false" >> "$GITHUB_OUTPUT"
|
|
echo "Clean merge with $BASE_REF; testing post-merge tree."
|
|
|
|
- name: Install dependencies
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
uses: ./.github/actions/install-apt-deps
|
|
with:
|
|
packages: autoconf automake libtool build-essential bubblewrap ccache
|
|
|
|
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
|
|
# which would stop the test scripts from re-execing under
|
|
# bwrap --unshare-net (their port-isolation mechanism).
|
|
- name: Allow unprivileged user namespaces (for bwrap)
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
|
|
|
# ccache's default cache dir (XDG ~/.cache/ccache) is what the
|
|
# actions/cache step below saves; pin it explicitly so the two
|
|
# cannot drift apart (e.g. if a later change sets CCACHE_DIR).
|
|
- name: Pin ccache directory
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
|
|
|
|
- name: Restore ccache
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cache/ccache
|
|
key: smoke-ccache-${{ github.base_ref || github.ref_name }}-${{ github.sha }}
|
|
restore-keys: |
|
|
smoke-ccache-${{ github.base_ref || github.ref_name }}-
|
|
smoke-ccache-
|
|
|
|
- name: autogen
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
run: |
|
|
ccache -z
|
|
./autogen.sh
|
|
|
|
# Common-failure configs derived from the Jenkins PRB top-10 (last 30
|
|
# days); leantls-extra, dtls-suite and integration target the top
|
|
# failure modes (-Werror unused-function / implicit-decl / link
|
|
# errors). Every config builds with -Werror unless it sets its own
|
|
# cflags: sanitize-asan replaces it with AddressSanitizer flags (UBSAN
|
|
# excluded - current master has known left-shift UB in auto-generated
|
|
# SP math). --private-dir=certs gives every build dir its own certs/
|
|
# copy: crl-gen-openssl.test writes generated CRLs under certs/crl/,
|
|
# which would race through the shared VPATH certs symlink.
|
|
#
|
|
# List order is schedule order: the worker threads take configs from
|
|
# the top, so keep the slowest first or they straggle at the end on an
|
|
# otherwise idle runner. Order by the Minutes column of the step
|
|
# summary from a recent (warm-cache) run.
|
|
- name: Build and make check all configs (parallel, out-of-tree)
|
|
if: steps.merge_check.outputs.skip != 'true'
|
|
run: |
|
|
cat > "$RUNNER_TEMP/smoke-configs.json" <<'EOF'
|
|
[
|
|
{"name": "sanitize-asan", "configure": ["--enable-all"],
|
|
"cflags": "-fsanitize=address -fno-omit-frame-pointer -g -O1",
|
|
"ldflags": "-fsanitize=address"},
|
|
{"name": "enable-all-smallstack", "configure": ["--enable-all", "--enable-smallstack"]},
|
|
{"name": "enable-all", "configure": ["--enable-all"]},
|
|
{"name": "integration", "configure": ["--enable-openssh", "--enable-lighty", "--enable-stunnel", "--enable-opensslextra"]},
|
|
{"name": "dtls-suite", "configure": ["--enable-psk", "--enable-dtls", "--enable-dtls13", "--enable-dtls-mtu", "--enable-aesccm", "--enable-opensslextra"]},
|
|
{"name": "opensslextra", "configure": ["--enable-opensslextra"]},
|
|
{"name": "default"},
|
|
{"name": "cryptonly", "configure": ["--enable-cryptonly"]},
|
|
{"name": "leantls-extra", "configure": ["--enable-leantls", "--enable-session-ticket", "--enable-sni", "--enable-opensslextra"]}
|
|
]
|
|
EOF
|
|
.github/scripts/parallel-make-check.py --cflags=-Werror \
|
|
--private-dir=certs "$RUNNER_TEMP/smoke-configs.json"
|
|
|
|
- name: ccache stats
|
|
if: always() && steps.merge_check.outputs.skip != 'true'
|
|
run: ccache -s || true
|
|
|
|
- name: Upload logs on failure
|
|
if: failure() && steps.merge_check.outputs.skip != 'true'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: smoke-logs
|
|
path: |
|
|
build-*/make-check.log
|
|
build-*/test-suite.log
|
|
build-*/config.log
|
|
if-no-files-found: ignore
|