Files
wolfssl/.github/workflows/stsafe-a120-sim.yml
T
Juliusz Sosinowicz dd2f9d3ab8 CI: offload ccache/apt/buildx caches off the GitHub Actions cache
The 10 GB, LRU-evicted, PR-scoped Actions cache was being thrashed - the
docker simulator buildx layers (~6 GiB), plus per-PR ccache and apt-archive
writes whose keys never hit - which kept evicting the shared ccache, while
the apt mirror timed out often enough to break PR CI. Move the heavy caches
to ghcr (free, separate pool) and make PR runs read-only against the Actions
cache.

apt dependencies from prebuilt ghcr .deb bundles
  - ci-deps-image.yml resolves each package list under .github/ci-deps/ into
    its .deb closure and publishes ghcr.io/<owner>/wolfssl-ci-debs:<tag> in
    two tiers: <ver>-minimal (make-check family) and <ver>-full (interop
    superset), for ubuntu-22.04 and 24.04.
  - install-apt-deps gains a ghcr-debs-tag input: pull the bundle and install
    offline (--no-download) so the apt mirror is never on the PR critical
    path. Any failure (bundle missing/not public/incomplete) falls through to
    the existing apt path, so it is always safe to set.

sim-test buildx layers to a shared ghcr registry cache
  - the 7 docker simulator workflows switch from cache-to: type=gha to
    ghcr.io/wolfssl/wolfssl-sim-cache:<scope>. cache-from reads on every run
    (anonymous); cache-to writes only on the weekend cron and manual
    workflow_dispatch. Per-distinct-image tags and de-duplicated writers keep
    parallel matrix jobs from racing on one ref.

ccache: PRs read, the schedule writes
  - ccache-setup gains read-only: PR runs restore the shared master-scoped
    cache but never upload; schedule/push runs refresh it. Wired across
    os-check (linux + macOS), pq-all, smoke-test and the 12 small make-check
    workflows.
  - parallel-make-check.py gains --build-only (compile every config, skip the
    test phase) so weekday-morning seed crons warm the cache PR runs consume.

artifact retention capped at 7 days on the failure-log/result uploads that
previously defaulted to 90.

ONE-TIME SETUP: after their first publish, make the ghcr packages
wolfssl-ci-debs and wolfssl-sim-cache PUBLIC so anonymous pulls work from PR
(including fork) runs; until then everything falls back cleanly.
2026-06-15 22:36:35 +00:00

111 lines
5.0 KiB
YAML

name: STSAFE-A120 simulator test
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
# Weekend cron and manual workflow_dispatch refresh the shared ghcr build
# cache that PR runs read (cache-to below is gated to those two events).
schedule:
- cron: '30 6 * * 6'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
permissions:
contents: read
packages: write
# Build the STSAFE-A120 software simulator (https://github.com/wolfSSL/simulators,
# STSAFEA120Sim/ subdirectory), build wolfSSL against STMicro's STSELib +
# simulator bridge, and run the wolfCrypt STSAFE-A120 test binary against the
# simulator TCP server.
#
# The simulator's own Dockerfile (Dockerfile.wolfcrypt) clones wolfSSL master
# and applies two sed patches to it. Both patches are now upstreamed in
# wolfSSL itself (the include.am stsafe.c entry, and the
# stse_platform_generic.h include order in stsafe.c), so we:
# 1. COPY the PR checkout instead of cloning master.
# 2. Strip the now-redundant sed RUN block.
# 3. Switch the configure invocation from a raw -DWOLFSSL_STSAFEA120
# CFLAG to the new --enable-stsafe=a120 option.
env:
SIMULATORS_REF: 7e4a50ac3316680c523ec2f66711ea8403c94468
jobs:
stsafe_a120_sim:
name: wolfCrypt against STSAFE-A120 simulator
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout wolfSSL (PR source)
uses: actions/checkout@v5
with:
path: wolfssl-src
- name: Clone STSAFE-A120 simulator
run: |
git clone https://github.com/wolfSSL/simulators simulators
cd simulators && git checkout "$SIMULATORS_REF"
- name: Stage PR wolfSSL into simulator build context
run: mv wolfssl-src simulators/STSAFEA120Sim/wolfssl
- name: Patch Dockerfile to use PR wolfSSL and the upstreamed STSAFE build flags
working-directory: simulators/STSAFEA120Sim
run: |
# 1. Replace the upstream master clone with a COPY of the PR source.
sed -i 's|^RUN git clone --branch \${WOLFSSL_REF} --depth 1 \\$|COPY wolfssl /app/wolfssl|' Dockerfile.wolfcrypt
# The COPY directive above is one line, so drop the now-stranded
# `https://github.com/wolfSSL/wolfssl.git /app/wolfssl` continuation
# line that followed the original `git clone --depth 1 \` line.
sed -i '\|^ https://github.com/wolfSSL/wolfssl.git /app/wolfssl$|d' Dockerfile.wolfcrypt
# Fail fast if the pattern drifted upstream -- better a clear error
# than a CI run that silently tests master.
grep -q '^COPY wolfssl /app/wolfssl$' Dockerfile.wolfcrypt
! grep -q 'git clone .*wolfssl\.git' Dockerfile.wolfcrypt
# 2. Neutralise the sed-patch RUN block: the patches it applies
# (adding stsafe.c to include.am, prepending
# stse_platform_generic.h to stsafe.c) are now upstream and
# rerunning them would produce duplicate entries.
sed -i '/^RUN sed -i \\$/,/^ head -2 \/app\/wolfssl\/wolfcrypt\/src\/port\/st\/stsafe\.c$/c\RUN true' Dockerfile.wolfcrypt
! grep -q 'sed -i .*include.am' Dockerfile.wolfcrypt
! grep -q 'sed -i .*port/st/stsafe.c' Dockerfile.wolfcrypt
# 3. Switch the wolfSSL configure invocation to the new
# --enable-stsafe=a120 option, and drop the now-redundant raw
# -DWOLFSSL_STSAFEA120 from CFLAGS.
sed -i 's|^ --disable-examples \\$| --disable-examples \\\n --enable-stsafe=a120 \\|' Dockerfile.wolfcrypt
sed -i 's|-DWOLFSSL_STSAFEA120 ||' Dockerfile.wolfcrypt
grep -q -- '--enable-stsafe=a120' Dockerfile.wolfcrypt
! grep -q -- '-DWOLFSSL_STSAFEA120' Dockerfile.wolfcrypt
- uses: docker/setup-buildx-action@v4
- name: Log in to ghcr (cache refresh on cron/manual dispatch)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Build wolfCrypt-STSAFE-A120 test image
uses: docker/build-push-action@v7
with:
context: simulators/STSAFEA120Sim
file: simulators/STSAFEA120Sim/Dockerfile.wolfcrypt
push: false
load: true
tags: wolfssl-stsafe-a120-sim:ci
cache-from: type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120
cache-to: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'type=registry,ref=ghcr.io/wolfssl/wolfssl-sim-cache:stsafe-a120,mode=max' || '' }}
- name: Run wolfCrypt tests against simulator
run: docker run --rm wolfssl-stsafe-a120-sim:ci