Files
wolfssl/.github/workflows/wolfCrypt-Wconversion.yml
T
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00

159 lines
9.1 KiB
YAML

name: wolfCrypt conversion warnings
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
# All former runner-per-config matrix entries build on one runner via
# .github/scripts/parallel-make-check.py (see os-check.yml for the full
# pattern): each config builds in its own out-of-tree ("VPATH") build
# directory off one checkout/autogen, on a pool of one-per-CPU worker
# threads, longest first.
build_library:
name: build library
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
# Generous for a cold ccache; warm reruns finish in a fraction.
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential gcc-multilib
# ccache via the cross-platform composite; the script passes the
# compiler to configure as CC="ccache gcc" (or a per-config "cc").
- name: Set up ccache
uses: ./.github/actions/ccache-setup
with:
workflow-id: wconversion
max-size: 300M
# The JSON list below is the former runner-per-config matrix. These
# are compile-only warning checks ("check": false): the -Wconversion
# family must come out clean, nothing is executed.
- name: Build all configs (parallel, out-of-tree)
run: |
cat > "$RUNNER_TEMP/wconversion-configs.json" <<'EOF'
[
{"name": "noasm-mldsa-align0", "minutes": 1,
"configure": ["--disable-asm", "--enable-cryptonly",
"--enable-all-crypto", "--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem", "--enable-slhdsa",
"--enable-mldsa=yes,small", "--enable-lms", "--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLDSA_ALIGNMENT=0 -DWC_XMSS_FULL_HASH -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"],
"check": false},
{"name": "intelasm-lms-full-hash", "minutes": 1,
"configure": ["--enable-intelasm", "--enable-cryptonly",
"--enable-all-crypto", "--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa=yes,sha2", "--enable-mldsa=yes,draft",
"--enable-lms", "--enable-xmss",
"CPPFLAGS=-DWC_LMS_FULL_HASH -DWOLFSSL_LMS_LARGE_CACHES -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"],
"check": false},
{"name": "smallstack-noasm-small-mem", "minutes": 1,
"configure": ["--enable-smallstack", "--disable-asm",
"--enable-cryptonly", "--enable-all-crypto", "--disable-examples",
"--disable-benchmark", "--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa", "--enable-mldsa=yes,no-ctx",
"--enable-lms=yes,small", "--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLDSA_SIGN_SMALL_MEM -DWOLFSSL_MLDSA_VERIFY_SMALL_MEM -DWOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM -DWOLFSSL_XMSS_LARGE_SECRET_KEY -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"],
"check": false},
{"name": "smallstack-intelasm-precalc", "minutes": 1,
"configure": ["--enable-smallstack", "--enable-intelasm",
"--enable-cryptonly", "--enable-all-crypto", "--disable-examples",
"--disable-benchmark", "--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa=yes,sha2", "--enable-mldsa", "--enable-lms",
"--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLDSA_SIGN_SMALL_MEM -DWOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC -DWOLFSSL_WC_LMS_SERIALIZE_STATE -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"],
"check": false},
{"name": "precalc-a-no-int128", "minutes": 1,
"configure": ["--enable-cryptonly", "--enable-all-crypto",
"--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa=yes,sha2", "--enable-mldsa", "--enable-lms",
"--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLDSA_SIGN_SMALL_MEM -DWOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A -DWOLFSSL_WC_XMSS_NO_SHA512 -DWOLFSSL_LMS_NO_SIG_CACHE -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128 -Wcast-qual"],
"check": false},
{"name": "cache-matrix-no-smoothing", "minutes": 1,
"configure": ["--enable-cryptonly", "--enable-all-crypto",
"--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem=yes,small",
"--enable-slhdsa=yes,small", "--enable-mldsa", "--enable-lms",
"--enable-xmss=yes,small",
"CPPFLAGS=-DWC_MLDSA_CACHE_MATRIX_A -DWOLFSSL_LMS_NO_SIGN_SMOOTHING -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"],
"check": false},
{"name": "no-large-code-lms192", "minutes": 1,
"configure": ["--enable-cryptonly", "--enable-all-crypto",
"--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem=yes,no-large-code",
"--enable-slhdsa=yes,small-mem", "--enable-mldsa",
"--enable-lms=yes,sha256-192,shake256", "--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLDSA_NO_LARGE_CODE -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"],
"check": false},
{"name": "smallstack-mldsa-dynamic", "minutes": 1,
"configure": ["--enable-smallstack", "--enable-cryptonly",
"--enable-all-crypto", "--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem", "--enable-slhdsa",
"--enable-mldsa", "--enable-lms=yes,verify-only", "--enable-xmss",
"CPPFLAGS=-DWC_MLDSA_CACHE_PRIV_VECTORS -DWC_MLDSA_CACHE_PUB_VECTORS -DWOLFSSL_MLDSA_DYNAMIC_KEYS -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"],
"check": false},
{"name": "mlkem-small-no-int128", "minutes": 1,
"configure": ["--disable-intelasm", "--enable-cryptonly",
"--enable-all-crypto", "--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem=yes,small",
"--enable-slhdsa", "--enable-lms", "--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"],
"check": false},
{"name": "verify-only-m32", "minutes": 0.8,
"configure": ["--enable-cryptonly", "--enable-all-crypto",
"--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa=yes,sha2", "--enable-mldsa=yes,verify-only",
"--enable-lms=yes,small,sha256-192,shake256",
"--enable-xmss=yes,verify-only",
"CPPFLAGS=-DWOLFSSL_MLDSA_VERIFY_SMALL_MEM -DWOLFSSL_MLDSA_VERIFY_NO_MALLOC -DWOLFSSL_MLDSA_SMALL_MEM_POLY64 -DWOLFSSL_WC_XMSS_NO_SHAKE128 -DWOLFSSL_WC_XMSS_NO_SHAKE256 -Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual",
"--enable-32bit", "CFLAGS=-m32"],
"check": false},
{"name": "m32-mlkem-small-mem", "minutes": 0.8,
"configure": ["--disable-intelasm", "--enable-cryptonly",
"--enable-all-crypto", "--disable-examples", "--disable-benchmark",
"--disable-crypttests", "--enable-mlkem",
"--enable-slhdsa=yes,verify-only", "--enable-mldsa",
"--enable-lms", "--enable-xmss",
"CPPFLAGS=-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLDSA_NO_ASN1 -DWOLFSSL_MLDSA_ALIGNMENT=0 -Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual",
"--enable-32bit", "CFLAGS=-m32"],
"check": false}
]
EOF
.github/scripts/parallel-make-check.py \
"$RUNNER_TEMP/wconversion-configs.json"
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: wconversion-logs
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore