Skip to content

Commit

Permalink
Add a CI run to test all older providers against master
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulidale
paulidale committed Mar 21, 2023
1 parent 0dbc889 commit e46f756
Showing 1 changed file with 238 additions and 0 deletions.
238 changes: 238 additions & 0 deletions .github/workflows/provider-compatibility.yml
View file
@@ -0,0 +1,238 @@
# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

# This verifies that FIPS and legacy providers built against some earlier
# released versions continue to run against the current branch.

name: Provider compatibility across versions

on: [pull_request]
# schedule:
# - cron: '0 7 * * *'

permissions:
contents: read

env:
opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib

jobs:
fips-releases:
strategy:
matrix:
release: [
# Formally released versions should be added here.
# `dir' it the directory inside the tarball.
# `tgz' is the name of the tarball.
# `utl' is the download URL.
# `tests' allows some tests to be skipped (e.g. if there are
# some expired certificates used).
{
dir: openssl-3.0.0,
tgz: openssl-3.0.0.tar.gz,
url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
tests: "TESTS='-test_ct -test_ssl_new'"
},
{
dir: openssl-3.0.8,
tgz: openssl-3.0.8.tar.gz,
url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
},
{
dir: openssl-3.1.0,
tgz: openssl-3.1.0.tar.gz,
url: "https://www.openssl.org/source/openssl-3.1.0.tar.gz",
},
]

runs-on: ubuntu-latest
steps:
- name: create directories
run: |
mkdir downloads || echo "downloads directory already created"
- name: download release source
run: wget --no-verbose ${{ matrix.release.url }}
working-directory: downloads
- name: unpack release source
run: tar xzf downloads/${{ matrix.release.tgz }}

- name: localegen
run: sudo locale-gen tr_TR.UTF-8

- name: config release
if: false
run: ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
working-directory: ${{ matrix.release.dir }}
- name: config dump release
if: false
run: ./configdata.pm --dump
working-directory: ${{ matrix.release.dir }}

- name: make release
if: false
run: make -s -j4
working-directory: ${{ matrix.release.dir }}

- name: create release artifacts
run: tar czf ${{ matrix.release.tgz }} ${{ matrix.release.dir }}

- name: show module versions from release
if: false
run: |
./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider base \
-provider default \
-provider fips \
-provider legacy \
-providers
working-directory: ${{ matrix.release.dir }}

- name: make test
if: false
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} ${{ matrix.release.tests }}
working-directory: ${{ matrix.release.dir }}

- uses: actions/upload-artifact@v3
with:
name: ${{ matrix.release.tgz }}
path: ${{ matrix.release.tgz }}
retention-days: 7

development-branches:
strategy:
matrix:
branch: [
# Currently supported FIPS capable branches should be added here.
# `name' is the branch name used to checkout out.
# `dir' directory that will be used to build and test in.
# `tgz' is the name of the tarball use to keep the artifacts of
# the build.
{
name: openssl-3.0,
dir: branch-3.0,
tgz: branch-3.0.tar.gz,
}, {
name: openssl-3.1,
dir: branch-3.1,
tgz: branch-3.1.tar.gz,
}, {
name: master,
dir: branch-master,
tgz: branch-master.tar.gz,
},
]

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
path: ${{ matrix.branch.dir }}
repository: openssl/openssl
ref: ${{ matrix.branch.name }}
- name: localegen
run: sudo locale-gen tr_TR.UTF-8

- name: config branch
if: false
run: |
./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
working-directory: ${{ matrix.branch.dir }}
- name: config dump current
if: false
run: ./configdata.pm --dump
working-directory: ${{ matrix.branch.dir }}

- name: make branch
if: false
run: make -s -j4
working-directory: ${{ matrix.branch.dir }}

- name: create branch artifacts
run: tar czf ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}

- name: show module versions from branch
if: false
run: |
./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider base \
-provider default \
-provider fips \
-provider legacy \
-providers
working-directory: ${{ matrix.branch.dir }}

- name: test current
if: false
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
working-directory: ${{ matrix.branch.dir }}

- uses: actions/upload-artifact@v3
with:
name: ${{ matrix.branch.tgz }}
path: ${{ matrix.branch.tgz }}
retention-days: 7

cross-testing:
needs: [fips-releases, development-branches]
runs-on: ubuntu-latest
strategy:
matrix:
# These can't be figured out earlier and included here as a variable
# substitution. Thus, there need to be two copies, both identical.
# Tests of something against itself are skipped (because these are
# pointless) as are tests of releases against other realease (because
# they cannot possibly change over time).
tree_a: [ branch-master, branch-3.1, branch-3.0,
openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ]
tree_b: [ branch-master, branch-3.1, branch-3.0,
openssl-3.0.0, openssl-3.0.8, openssl-3.1.0 ]
steps:
- name: Early exit to avoid testing releases against other releases and auto-comparisons
id: early_exit
run: |
if [ echo "${{ matrix.tree_b }}" | grep "^openssl-" ) && exit 1
if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}"; then exit 1; fi
continue-on-error: true

- name: Remaining jobs
if: steps.early_exit.outcome == 'success'
run: echo ${{ matrix.tree_a }} ${{ matrix.tree_b }}

- name: Create directory
if: steps.early_exit.outcome == 'success'
run: |
echo "wd=${{ matrix.tree_a }}-${{ matrix.tree_b }}" >>$GITHUB_ENV
mkdir ${{ env.wd }}
- uses: actions/download-artifact@v3
if: steps.early_exit.outcome == 'success'
with:
name: ${{ matrix.tree_a }}.tar.gz
path: ${{ env.wd }}/${{ matrix.tree_a }}.tar.gz
- name: ls
run: |
ls -R
echo wd: ${{ env.wd }}
- name: Unpack first build
if: steps.early_exit.outcome == 'success'
run: tar xzf "${{ matrix.tree_a }}.tar.gz"
working-directory: ${{ env.wd }}

- uses: actions/download-artifact@v3
if: steps.early_exit.outcome == 'success'
with:
name: ${{ matrix.tree_b }}.tar.gz
path: ${{ env.wd }}/${{ matrix.tree_b }}.tar.gz
- name: Unpack second build
if: steps.early_exit.outcome == 'success'
run: tar xzf "${{ matrix.tree_b }}.tar.gz"
working-directory: ${{ env.wd }}

- name: Set up validation of A with tree from B"
if: false
run: cp ${{ matrix.tree_a }}/providers/fips{module.cnf,.so} ${{ matrix.tree_b }}/current/providers/
working-directory: ${{ env.wd }}

0 comments on commit e46f756

Please sign in to comment.