CI: stop recompiling openssl-sys on every Windows/macOS run (pin artifact mtimes)#14971
Merged
Merged
Conversation
openssl-sys's build script registers cargo:rerun-if-changed on the OpenSSL include directory, which cargo evaluates by mtime. On Windows and macOS the prebuilt OpenSSL is downloaded and extracted fresh on every CI run, so identical headers get new mtimes and openssl-sys (and everything downstream: openssl, cryptography-openssl, cryptography-cffi) recompiles every run despite a warm rust-cache. The Linux jobs don't have this problem because their OpenSSL builds are restored by actions/cache, which preserves mtimes. Set every extracted file's mtime to the artifact's created_at: an unchanged artifact always looks the same to cargo, while a rebuilt artifact gets a new timestamp and correctly triggers a rebuild. https://claude.ai/code/session_014StKTjk7GBcVdiWKimEsQb
reaperhulk
approved these changes
Jun 7, 2026
reaperhulk
pushed a commit
that referenced
this pull request
Jun 7, 2026
…low-up to #14971) (#14972) * Pin directory mtimes too in pin_artifact_mtimes cargo's rerun-if-changed on a directory also stats the directories themselves (that's how it detects file deletions), and extraction recreates them with fresh mtimes on every run. With only file mtimes pinned, openssl-sys still recompiled on every Windows/macOS run, as the first CI run with the previous change showed. https://claude.ai/code/session_014StKTjk7GBcVdiWKimEsQb * Refactor OpenSSL artifact download + mtime pinning into a reusable action https://claude.ai/code/session_014StKTjk7GBcVdiWKimEsQb --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
After downloading the prebuilt OpenSSL artifacts on Windows and macOS, set every extracted file's mtime to the artifact's
created_at(via a small.github/bin/pin_artifact_mtimes.py, fed from the download action'sartifactsoutput).Why
openssl-sys's build script registerscargo:rerun-if-changedon the OpenSSL include directory, which cargo evaluates by mtime. On Windows and macOS the prebuilt OpenSSL is downloaded and extracted fresh on every CI run, so identical headers get brand-new mtimes — andopenssl-sys(plus everything downstream:openssl,cryptography-openssl,cryptography-cffi) recompiles on every run despite a warm rust-cache. Visible in any windows job log asCompiling openssl-sys v0.9.116/Compiling openssl v0.10.80(~30–45s of the build step).The Linux jobs don't have this problem because their custom OpenSSL builds are restored by
actions/cache, which preserves mtimes — which is exactly why this was a Windows/macOS-only symptom.Why the artifact's creation time
It's the semantically right timestamp: an unchanged artifact always presents identical mtimes to cargo (cache stays valid), while a rebuilt artifact gets a new
created_atand correctly triggers anopenssl-sysrebuild — no staleness window, no cache-key coupling, and it's guaranteed to be in the past (a content-derived timestamp would need care not to land in the future, which would make cargo permanently dirty).Expected impact
Removes the remaining ~30–45s of redundant compilation from every Windows job's "Build nox environment" step and the macOS equivalent. No cache key bump needed: the pinned mtimes are older than the timestamps recorded in existing cached fingerprints, so existing caches start hitting immediately — the first run on this PR should already show no
Compiling openssl-syson windows/macos.(Complements #14968, which removes the pyo3 chain recompiles; this one targets the openssl-sys side and is independent.)
https://claude.ai/code/session_014StKTjk7GBcVdiWKimEsQb
Generated by Claude Code