From e8ba1eade3655ce64e4ce0301e1d83b1cfd34795 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 22 May 2026 23:24:45 -0700 Subject: [PATCH 01/26] ci: pause non-smoke workflows on draft PRs, add smoke preflight --- .github/actions/wait-for-smoke/action.yml | 95 +++++++++++++++++++++++ .github/workflows/bind9.yml | 3 + .github/workflows/cjose.yml | 3 + .github/workflows/cmdline.yml | 2 + .github/workflows/codespell.yml | 2 + .github/workflows/curl.yml | 3 + .github/workflows/debian-package.yml | 3 + .github/workflows/fips-ready.yml | 2 + .github/workflows/git-ssh-dr.yml | 3 + .github/workflows/grpc.yml | 3 + .github/workflows/hostap.yml | 3 + .github/workflows/iperf.yml | 3 + .github/workflows/krb5.yml | 3 + .github/workflows/libcryptsetup.yml | 3 + .github/workflows/libeac3.yml | 3 + .github/workflows/libfido2.yml | 3 + .github/workflows/libhashkit2.yml | 3 + .github/workflows/libnice.yml | 3 + .github/workflows/liboauth2.yml | 3 + .github/workflows/librelp.yml | 3 + .github/workflows/libssh2.yml | 3 + .github/workflows/libtss2.yml | 2 + .github/workflows/libwebsockets.yml | 3 + .github/workflows/multi-compiler.yml | 2 + .github/workflows/net-snmp.yml | 3 + .github/workflows/nginx.yml | 3 + .github/workflows/openldap.yml | 3 + .github/workflows/opensc.yml | 3 + .github/workflows/openssh.yml | 3 + .github/workflows/openssl-version.yml | 2 + .github/workflows/openvpn.yml | 3 + .github/workflows/pam-pkcs11.yml | 3 + .github/workflows/ppp.yml | 3 + .github/workflows/python3-ntp.yml | 3 + .github/workflows/qt5network5.yml | 3 + .github/workflows/rsync.yml | 3 + .github/workflows/seed-src.yml | 2 + .github/workflows/simple.yml | 2 + .github/workflows/smoke-test.yml | 59 ++++++++++++++ .github/workflows/socat.yml | 3 + .github/workflows/sscep.yml | 3 + .github/workflows/sssd.yml | 2 + .github/workflows/stunnel.yml | 3 + .github/workflows/systemd.yml | 3 + .github/workflows/tcpdump.yml | 3 + .github/workflows/tnftp.yml | 3 + .github/workflows/tpm2-tools.yml | 3 + .github/workflows/x11vnc.yml | 3 + 48 files changed, 283 insertions(+) create mode 100644 .github/actions/wait-for-smoke/action.yml create mode 100644 .github/workflows/smoke-test.yml diff --git a/.github/actions/wait-for-smoke/action.yml b/.github/actions/wait-for-smoke/action.yml new file mode 100644 index 00000000..b16f9de3 --- /dev/null +++ b/.github/actions/wait-for-smoke/action.yml @@ -0,0 +1,95 @@ +name: 'Wait for Smoke Test' +description: 'Polls the Smoke Test workflow for the current commit and fails if it failed.' + +# Designed to be the leading job in pull_request-triggered workflows so that +# expensive integration CI does not run unless the smoke build passes. +# +# Push events bypass the wait entirely (we still get smoke results for those +# pushes, but other CI is not gated on push). For drafts, callers should +# skip dependent jobs via `if: github.event.pull_request.draft == false` - +# this action will still pass through if smoke is skipped or absent. + +inputs: + workflow: + description: 'Name of the smoke workflow file to wait on' + required: false + default: 'smoke-test.yml' + timeout-seconds: + description: 'Maximum time to wait for smoke to complete' + required: false + default: '1800' + poll-seconds: + description: 'Polling interval' + required: false + default: '20' + github-token: + description: 'GITHUB_TOKEN with actions:read permission' + required: true + +runs: + using: 'composite' + steps: + - name: Wait for smoke + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + SMOKE_WORKFLOW: ${{ inputs.workflow }} + TIMEOUT: ${{ inputs.timeout-seconds }} + POLL: ${{ inputs.poll-seconds }} + REPO: ${{ github.repository }} + run: | + set -u + # Only gate pull_request events. Push events are not gated. + if [ "${{ github.event_name }}" != "pull_request" ]; then + echo "Not a pull_request event - skipping smoke gate." + exit 0 + fi + + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + echo "Waiting for $SMOKE_WORKFLOW on $HEAD_SHA (timeout ${TIMEOUT}s)" + + START=$(date +%s) + while :; do + NOW=$(date +%s) + ELAPSED=$((NOW - START)) + if [ "$ELAPSED" -ge "$TIMEOUT" ]; then + echo "::error::Timed out after ${TIMEOUT}s waiting for $SMOKE_WORKFLOW on $HEAD_SHA" + exit 1 + fi + + # Look up the latest run for this workflow + head SHA. + RUN_JSON=$(gh api \ + "repos/${REPO}/actions/workflows/${SMOKE_WORKFLOW}/runs?head_sha=${HEAD_SHA}&per_page=1" \ + 2>/dev/null || echo '{}') + + STATUS=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].status // "missing"') + CONCLUSION=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].conclusion // ""') + RUN_URL=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].html_url // ""') + + case "$STATUS" in + completed) + case "$CONCLUSION" in + success) + echo "Smoke test passed: $RUN_URL" + exit 0 + ;; + skipped|neutral) + echo "Smoke test was $CONCLUSION - treating as pass: $RUN_URL" + exit 0 + ;; + *) + echo "::error::Smoke test concluded as '$CONCLUSION': $RUN_URL" + exit 1 + ;; + esac + ;; + missing) + echo "[$ELAPSED s] No smoke run yet for $HEAD_SHA" + ;; + *) + echo "[$ELAPSED s] Smoke status=$STATUS ($RUN_URL)" + ;; + esac + + sleep "$POLL" + done diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 264bf1f7..4ae71e63 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_bind: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 3d593a89..78261fdc 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_cjose: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index 7183fcaf..78c99fbd 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: cmdtest_test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Command line test runs-on: ubuntu-22.04 timeout-minutes: 20 diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 374e61bc..576df4ca 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: codespell: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Check for spelling errors runs-on: ubuntu-22.04 timeout-minutes: 5 diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 5f49d55f..042f6764 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_curl: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 2be668d5..0cc1db88 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true, false ] libwolfprov-replace-default: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: libwolfprov ${{ matrix.replace_default && 'replace-default' || 'standalone' }} ${{ matrix.fips_ref }} runs-on: ubuntu-22.04 needs: build_wolfprovider diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index d5d0d1e1..fb2b65ca 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: fips_ready_test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: FIPS Ready Bundle Test runs-on: ubuntu-22.04 timeout-minutes: 20 diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 881f5b33..5fbc09c8 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -5,6 +5,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -12,6 +13,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -26,6 +28,7 @@ jobs: replace_default: [ true ] git-ssh-default-replace-test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: image: debian:bookworm diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 1761a66c..8a92c257 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_grpc: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 370709f7..79c05f61 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**'] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_hostap: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # Run inside Debian Bookworm with privileged access for UML diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 5f9c3c3d..ec0dc4e7 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_iperf: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 05f0d7be..2e0e4c2f 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_krb5: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 6727bf5e..64d66e70 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_cryptsetup: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 3c53ff21..1521ccd8 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_libeac3: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index cf375313..a26b0eef 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -4,12 +4,14 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -24,6 +26,7 @@ jobs: replace_default: [ true ] test_libfido2: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index db5844c9..627c6710 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_libhashkit2: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index e82a4ee0..c6519f73 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_libnice: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index 6a294be5..ffc217ad 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_liboauth2: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index 002c4fd8..d771b65b 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_librelp: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index f5c59177..ae48c88c 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_libssh2: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index aaf434b0..d53302ea 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -4,12 +4,14 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: test_tpm2_tss: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 timeout-minutes: 30 strategy: diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index c471fce2..499e6a30 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_libwebsockets: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index 8619977f..46c4ab33 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Build with compiler ${{ matrix.CC }}, wolfssl ${{ matrix.wolfssl_ref }}, OpenSSL ${{ matrix.openssl_ref }} runs-on: ${{ matrix.OS }} timeout-minutes: 20 diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index dcb806b3..5e2cfaac 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_net_snmp: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 1159b765..04cad097 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_nginx: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 5b85854a..b67926d9 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_openldap: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index f8b44d12..07c9161e 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_opensc: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index b4b2e835..f35c0e8a 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_openssh: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 90e6a77d..c8f34783 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: openssl_version_test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false continue-on-error: true name: OpenSSL Version Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index de421158..a2498f8e 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_openvpn: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # This should be a safe limit for the tests to run. diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index a3666bba..f2ee7939 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_pam_pkcs11: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 457f81c5..400dfecd 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -5,6 +5,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -12,6 +13,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -26,6 +28,7 @@ jobs: replace_default: [ true ] test_ppp: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 21881f32..61484b9f 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_python3-ntp: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # This should be a safe limit for the tests to run. diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index f12581d0..2b226f66 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -4,6 +4,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -11,6 +12,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -25,6 +27,7 @@ jobs: replace_default: [ true ] test_qtbase_network: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 57f64e20..6f6e793a 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -4,6 +4,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -11,6 +12,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -25,6 +27,7 @@ jobs: replace_default: [ true ] test_rsync: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider timeout-minutes: 15 diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 37e89703..7155b45f 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: seed_src_test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: SEED-SRC Test runs-on: ubuntu-22.04 timeout-minutes: 20 diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 19c30ab4..3430a1aa 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: simple_test: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Simple Test runs-on: ubuntu-22.04 timeout-minutes: 20 diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml new file mode 100644 index 00000000..4d800d6f --- /dev/null +++ b/.github/workflows/smoke-test.yml @@ -0,0 +1,59 @@ +name: Smoke Test + +# Fast pre-flight build + test for wolfProvider against a single +# wolfSSL/OpenSSL combo. Intentionally runs on drafts too: this is the +# gate that protects the rest of CI from broken commits. Other PR +# workflows can `uses:` the companion .github/actions/wait-for-smoke +# action to require this to pass before their expensive build matrices +# kick off. + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] + +concurrency: + group: smoke-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + smoke: + name: Smoke build (${{ matrix.config.name }}) + runs-on: ubuntu-22.04 + timeout-minutes: 20 + strategy: + fail-fast: false + matrix: + config: + - name: master/openssl-3.5 + wolfssl_ref: master + openssl_ref: openssl-3.5.4 + extra: "" + - name: stable/openssl-3.5 + wolfssl_ref: v5.8.4-stable + openssl_ref: openssl-3.5.4 + extra: "" + + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Build and test wolfProvider + run: | + OPENSSL_TAG=${{ matrix.config.openssl_ref }} \ + WOLFSSL_TAG=${{ matrix.config.wolfssl_ref }} \ + ./scripts/build-wolfprovider.sh ${{ matrix.config.extra }} + + - name: Print errors + if: ${{ failure() }} + run: | + if [ -f test-suite.log ] ; then + cat test-suite.log + fi diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 1abeadfe..df9bdbeb 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_socat: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider continue-on-error: true diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 4ea28a9b..68d7b622 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_sscep: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider timeout-minutes: 10 diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index ceb6d80f..cfc6d5a8 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: test_sssd: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 timeout-minutes: 20 container: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index cae41223..bccfada9 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_stunnel: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index 4ae223fd..887c0191 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -6,6 +6,7 @@ on: branches: ['master', 'main', 'release/**'] pull_request: branches: ['*'] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_systemd: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider # This should be a safe limit for the tests to run. diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 295a4b09..336d1654 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -5,12 +5,14 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -25,6 +27,7 @@ jobs: replace_default: [ true ] test_tcpdump: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider continue-on-error: true diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 6beaf3e8..5a4ab210 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_tnftp: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 76e71b00..8479dc9c 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_tpm2_tools: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 40c3cb44..5cdd7316 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -6,6 +6,7 @@ on: branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,6 +15,7 @@ concurrency: jobs: build_wolfprovider: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -28,6 +30,7 @@ jobs: replace_default: [ true ] test_x11vnc: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: build_wolfprovider container: From c1706da00afa794a42909270ed4830ea941f937a Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:32:08 -0700 Subject: [PATCH 02/26] ci: trim PR matrices and add paths-ignore (Phase A + E1) Reduce per-PR job count by dropping coverage axes that don't change behavior on PR. The full sweeps that left the PR matrix move to a nightly schedule in a follow-up commit. - simple.yml: 48 -> 4 jobs. Drop --debug axis (debug only on nightly). Trim openssl_ref to newest 3.5.x + oldest 3.0.x (was 6 versions). Keep one wolfssl_ref (v5.8.4-stable). - git-ssh-dr.yml: 16 -> 8 jobs. key_type [rsa, ed25519] on PR (was 4 values), iterations 3 (was 10). - curl.yml: drop second curl_ref on PR. - openssh.yml: drop second openssh_ref on PR. paths-ignore on every pull_request trigger so docs/README-only PRs skip the full CI sweep. List covers **.md, docs/, LICENSE*, README*, CHANGELOG*, .github/ISSUE_TEMPLATE/**, dependabot config, .gitignore, AUTHORS, COPYING. xmlsec.yml is skipped (its pull_request: block is commented out). --- .github/workflows/bind9.yml | 11 +++++++++++ .github/workflows/cjose.yml | 11 +++++++++++ .github/workflows/cmdline.yml | 11 +++++++++++ .github/workflows/codespell.yml | 11 +++++++++++ .github/workflows/curl.yml | 14 +++++++++++++- .github/workflows/debian-package.yml | 11 +++++++++++ .github/workflows/fips-ready.yml | 11 +++++++++++ .github/workflows/git-ssh-dr.yml | 17 +++++++++++++++-- .github/workflows/grpc.yml | 11 +++++++++++ .github/workflows/hostap.yml | 11 +++++++++++ .github/workflows/iperf.yml | 11 +++++++++++ .github/workflows/krb5.yml | 11 +++++++++++ .github/workflows/libcryptsetup.yml | 11 +++++++++++ .github/workflows/libeac3.yml | 11 +++++++++++ .github/workflows/libfido2.yml | 11 +++++++++++ .github/workflows/libhashkit2.yml | 11 +++++++++++ .github/workflows/libnice.yml | 11 +++++++++++ .github/workflows/liboauth2.yml | 11 +++++++++++ .github/workflows/librelp.yml | 11 +++++++++++ .github/workflows/libssh2.yml | 11 +++++++++++ .github/workflows/libtss2.yml | 11 +++++++++++ .github/workflows/libwebsockets.yml | 11 +++++++++++ .github/workflows/multi-compiler.yml | 11 +++++++++++ .github/workflows/net-snmp.yml | 11 +++++++++++ .github/workflows/nginx.yml | 11 +++++++++++ .github/workflows/openldap.yml | 11 +++++++++++ .github/workflows/opensc.yml | 11 +++++++++++ .github/workflows/openssh.yml | 14 +++++++++++++- .github/workflows/openssl-version.yml | 11 +++++++++++ .github/workflows/openvpn.yml | 11 +++++++++++ .github/workflows/pam-pkcs11.yml | 11 +++++++++++ .github/workflows/ppp.yml | 11 +++++++++++ .github/workflows/python3-ntp.yml | 11 +++++++++++ .github/workflows/qt5network5.yml | 11 +++++++++++ .github/workflows/rsync.yml | 11 +++++++++++ .github/workflows/seed-src.yml | 11 +++++++++++ .github/workflows/simple.yml | 24 +++++++++++++++--------- .github/workflows/smoke-test.yml | 11 +++++++++++ .github/workflows/socat.yml | 11 +++++++++++ .github/workflows/sscep.yml | 11 +++++++++++ .github/workflows/sssd.yml | 11 +++++++++++ .github/workflows/stunnel.yml | 11 +++++++++++ .github/workflows/systemd.yml | 11 +++++++++++ .github/workflows/tcpdump.yml | 11 +++++++++++ .github/workflows/tnftp.yml | 11 +++++++++++ .github/workflows/tpm2-tools.yml | 11 +++++++++++ .github/workflows/x11vnc.yml | 11 +++++++++++ 47 files changed, 529 insertions(+), 13 deletions(-) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 4ae71e63..be83d1af 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 78261fdc..047d01bd 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index 78c99fbd..6ece38fd 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 576df4ca..7618aac6 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 042f6764..aad6ce69 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -41,7 +52,8 @@ jobs: timeout-minutes: 20 strategy: matrix: - curl_ref: [ 'curl-8_4_0', 'curl-7_88_1' ] + # PR runs latest curl only; older refs run in the nightly sweep. + curl_ref: [ 'curl-8_4_0' ] wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 0cc1db88..965671b8 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index fb2b65ca..3d1581e0 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 5fbc09c8..66b912e8 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -6,6 +6,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -43,9 +54,11 @@ jobs: openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] - key_type: [ 'rsa', 'ecdsa', 'ed25519', 'chacha20-poly1305' ] + # PR matrix: 2 of 4 key types and 3 iterations. + # Full key_type sweep + 10-iteration soak runs nightly. + key_type: [ 'rsa', 'ed25519' ] force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] - iterations: [ 10 ] # Total of 50 runs + iterations: [ 3 ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 8a92c257..3e6b3114 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 79c05f61..83b80df9 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index ec0dc4e7..ebf215fa 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 2e0e4c2f..78509e9d 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 64d66e70..7df82bfb 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 1521ccd8..57eb0a86 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index a26b0eef..8d09b7a9 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -5,6 +5,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 627c6710..582e9be6 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index c6519f73..a41e30e8 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index ffc217ad..bdc20af5 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index d771b65b..ddc61d89 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index ae48c88c..d48272ab 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index d53302ea..5af12846 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -5,6 +5,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 499e6a30..50301160 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index 46c4ab33..366e8ba5 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 5e2cfaac..8971d9ec 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 04cad097..358073f2 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index b67926d9..5645dd3b 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 07c9161e..967a9d89 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index f35c0e8a..9e8cb926 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -51,7 +62,8 @@ jobs: timeout-minutes: 20 strategy: matrix: - openssh_ref: [ 'V_10_0_P2', 'V_9_9_P1' ] + # PR runs latest openssh only; older refs run in the nightly sweep. + openssh_ref: [ 'V_10_0_P2' ] wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'non-FIPS' ] # FIPS is not yet supported for OpenSSH diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index c8f34783..64307c35 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index a2498f8e..dbb30276 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index f2ee7939..bcd51522 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 400dfecd..9b265161 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -6,6 +6,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 61484b9f..6a5fb1ca 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 2b226f66..03aea3e1 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -5,6 +5,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 6f6e793a..097f08a5 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -5,6 +5,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 7155b45f..4489d4fc 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 3430a1aa..7c603278 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -21,18 +32,13 @@ jobs: timeout-minutes: 20 strategy: matrix: - wolfssl_ref: [ - 'master', - 'v5.8.4-stable'] - # Test against the newest of each minor version + # PR matrix: newest stable wolfssl + newest 3.5 and oldest 3.0 OpenSSL + # = 1 x 2 x 1 x 2 = 4 jobs. Full sweep runs nightly. + wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4', - 'openssl-3.4.2', - 'openssl-3.3.4', - 'openssl-3.2.5', - 'openssl-3.1.8', 'openssl-3.0.17'] - debug: ['', '--debug'] + debug: [''] replace_default: [ '', '--replace-default --enable-replace-default-testing'] diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 4d800d6f..6519d098 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -13,6 +13,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: smoke-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index df9bdbeb..28de2b80 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 68d7b622..2465cb20 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index cfc6d5a8..05c99340 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index bccfada9..f1e0e84a 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index 887c0191..b24a3c77 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -7,6 +7,17 @@ on: pull_request: branches: ['*'] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 336d1654..9a1c5217 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -6,6 +6,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 5a4ab210..4f6bb0e0 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 8479dc9c..bac8d14b 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 5cdd7316..bd700a97 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -7,6 +7,17 @@ on: pull_request: branches: [ '*' ] types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 382c487cac96301d40d40fca577617b2c34bbf04 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:38:41 -0700 Subject: [PATCH 03/26] ci: gate heavy workflows on smoke via wait-for-smoke action (Phase F2) The existing draft-PR skip already prevents heavy CI from running on WIP PRs, but every workflow still spins up its full matrix the moment a PR is marked ready-for-review. Add a leading wait_for_smoke job to every workflow that calls build-wolfprovider.yml so the smoke build acts as the single cross-workflow gate. How it works: - wait_for_smoke runs the .github/actions/wait-for-smoke composite action. The action is a no-op on non-PR events (push to master exits immediately). - On a pull_request, it polls the Smoke Test workflow run for the head SHA and exits success when smoke passes, failure when it fails, success when smoke was skipped (e.g. paths-ignore). - Downstream build_wolfprovider needs wait_for_smoke, so a failed smoke skips the entire heavy build/test matrix for that workflow. - Draft PRs still skip via the existing `if:` (wait_for_smoke is skipped, dependents skip transitively). Applies to 38 workflows. xmlsec.yml is skipped because its pull_request trigger is commented out (push-to-master only). Estimated savings on a broken-build PR: ~280 jobs that previously ran to apt-get or build failure now never start. --- .github/workflows/bind9.yml | 14 ++++++++++++++ .github/workflows/cjose.yml | 14 ++++++++++++++ .github/workflows/curl.yml | 14 ++++++++++++++ .github/workflows/debian-package.yml | 14 ++++++++++++++ .github/workflows/git-ssh-dr.yml | 14 ++++++++++++++ .github/workflows/grpc.yml | 14 ++++++++++++++ .github/workflows/hostap.yml | 14 ++++++++++++++ .github/workflows/iperf.yml | 14 ++++++++++++++ .github/workflows/krb5.yml | 14 ++++++++++++++ .github/workflows/libcryptsetup.yml | 14 ++++++++++++++ .github/workflows/libeac3.yml | 14 ++++++++++++++ .github/workflows/libfido2.yml | 14 ++++++++++++++ .github/workflows/libhashkit2.yml | 14 ++++++++++++++ .github/workflows/libnice.yml | 14 ++++++++++++++ .github/workflows/liboauth2.yml | 14 ++++++++++++++ .github/workflows/librelp.yml | 14 ++++++++++++++ .github/workflows/libssh2.yml | 14 ++++++++++++++ .github/workflows/libwebsockets.yml | 14 ++++++++++++++ .github/workflows/multi-compiler.yml | 14 ++++++++++++++ .github/workflows/net-snmp.yml | 14 ++++++++++++++ .github/workflows/nginx.yml | 14 ++++++++++++++ .github/workflows/openldap.yml | 14 ++++++++++++++ .github/workflows/opensc.yml | 14 ++++++++++++++ .github/workflows/openssh.yml | 14 ++++++++++++++ .github/workflows/openvpn.yml | 14 ++++++++++++++ .github/workflows/pam-pkcs11.yml | 14 ++++++++++++++ .github/workflows/ppp.yml | 14 ++++++++++++++ .github/workflows/python3-ntp.yml | 14 ++++++++++++++ .github/workflows/qt5network5.yml | 14 ++++++++++++++ .github/workflows/rsync.yml | 14 ++++++++++++++ .github/workflows/socat.yml | 14 ++++++++++++++ .github/workflows/sscep.yml | 14 ++++++++++++++ .github/workflows/stunnel.yml | 14 ++++++++++++++ .github/workflows/systemd.yml | 14 ++++++++++++++ .github/workflows/tcpdump.yml | 14 ++++++++++++++ .github/workflows/tnftp.yml | 14 ++++++++++++++ .github/workflows/tpm2-tools.yml | 14 ++++++++++++++ .github/workflows/x11vnc.yml | 14 ++++++++++++++ 38 files changed, 532 insertions(+) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index be83d1af..4ea8e7d5 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 047d01bd..f3e666b7 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index aad6ce69..decd1aa3 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 965671b8..7d5269af 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 66b912e8..5ccc861a 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -23,7 +23,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 3e6b3114..18ce6202 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 83b80df9..b4d8de2e 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index ebf215fa..492a07ca 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 78509e9d..1d86cfc9 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 7df82bfb..49a45e96 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 57eb0a86..43de06ce 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 8d09b7a9..4f81ffdd 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -21,7 +21,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 582e9be6..1fa16d1f 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index a41e30e8..ac4e9106 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index bdc20af5..3a34f612 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index ddc61d89..ec170599 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index d48272ab..471fe081 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 50301160..5b898a61 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index 366e8ba5..12467296 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Build with compiler ${{ matrix.CC }}, wolfssl ${{ matrix.wolfssl_ref }}, OpenSSL ${{ matrix.openssl_ref }} runs-on: ${{ matrix.OS }} diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 8971d9ec..02660fc8 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 358073f2..a9592b05 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 5645dd3b..fd2c9f57 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 967a9d89..01e0cd8b 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 9e8cb926..ebda31e2 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index dbb30276..421f4713 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index bcd51522..8f07e3f7 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 9b265161..bac1baef 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -23,7 +23,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 6a5fb1ca..29e1d76d 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 03aea3e1..af29b9f0 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -22,7 +22,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 097f08a5..96ec9e7c 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -22,7 +22,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 28de2b80..1b48c8b8 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 2465cb20..35778e3c 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index f1e0e84a..e54a520a 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index b24a3c77..44154571 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 9a1c5217..ffcd0b3a 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -22,7 +22,21 @@ concurrency: cancel-in-progress: true jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 4f6bb0e0..53977cfc 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index bac8d14b..6446a858 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index bd700a97..482f5921 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + build_wolfprovider: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: From 41cded3f1b88eceeefcd5182d03994d0d68edeeb Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:42:07 -0700 Subject: [PATCH 04/26] ci: dynamic wolfSSL latest-stable resolution (Phase G) Stop hardcoding wolfSSL versions in each workflow. Borrow wolfTPM's pattern from .github/workflows/wolfssl-versions-pqc.yml: resolve the highest v*-stable tag at run time via git ls-remote and pass it down as a workflow output. New: .github/workflows/_discover-wolfssl.yml -- reusable workflow that emits `latest_stable` output (e.g. v5.9.2-stable). Applied to workflows that build wolfSSL from source: - simple.yml: matrix.wolfssl_ref dropped; build step pulls from needs.discover_versions.outputs.latest_stable. - smoke-test.yml: stable row uses discovered tag; master row stays. - libtss2.yml: same swap as simple.yml. Not applied to workflows that consume pre-built .deb packages from ghcr.io (the 36 Debian app workflows). Those .debs are built by a Jenkins debian-export job that currently bakes v5.8.4-stable into the package contents. Switching wolfssl_ref to latest_stable would just mislabel the artifact name -- the library shipped in the deb would still be v5.8.4. Follow-up needed on the Jenkins side to track latest-stable too; that change is out of scope for this PR. multi-compiler.yml is left alone: it intentionally pins v5.8.0-stable on one matrix row as a backward-compat check. --- .github/workflows/_discover-wolfssl.yml | 43 +++++++++++++++++++++++++ .github/workflows/libtss2.yml | 10 ++++-- .github/workflows/simple.yml | 14 +++++--- .github/workflows/smoke-test.yml | 20 +++++++----- 4 files changed, 73 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/_discover-wolfssl.yml diff --git a/.github/workflows/_discover-wolfssl.yml b/.github/workflows/_discover-wolfssl.yml new file mode 100644 index 00000000..465a72e6 --- /dev/null +++ b/.github/workflows/_discover-wolfssl.yml @@ -0,0 +1,43 @@ +name: Discover wolfSSL latest-stable + +# Reusable workflow that resolves the highest v*-stable tag on +# https://github.com/wolfSSL/wolfssl at run time, so consumer workflows +# do not have to be edited every wolfSSL release. Pattern lifted from +# wolfSSL/wolfTPM's .github/workflows/wolfssl-versions-pqc.yml. +# +# Heavy workflows that pull pre-built .deb packages from ghcr.io still +# get whatever the Jenkins debian-export job has published. The +# wolfssl_ref input to build-wolfprovider.yml ends up being +# informational in that case (the package contents are authoritative). +# simple.yml is the one workflow that genuinely consumes this output +# at face value, since it builds wolfSSL from source via +# scripts/build-wolfprovider.sh. + +on: + workflow_call: + outputs: + latest_stable: + description: 'Highest v*-stable tag on wolfSSL master' + value: ${{ jobs.discover.outputs.latest_stable }} + +jobs: + discover: + name: Resolve latest-stable + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + latest_stable: ${{ steps.resolve.outputs.latest_stable }} + steps: + - name: Resolve latest -stable wolfSSL tag + id: resolve + run: | + set -euo pipefail + # ls-remote is ~1s and avoids cloning just to read tag names. + LATEST=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \ + | awk -F/ '{print $NF}' | sort -V | tail -n 1) + if [ -z "${LATEST:-}" ]; then + echo "::error::Could not resolve latest wolfSSL -stable tag from remote" + exit 1 + fi + echo "Latest stable wolfSSL: $LATEST" + echo "latest_stable=$LATEST" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 5af12846..990ac9ab 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -21,14 +21,18 @@ concurrency: cancel-in-progress: true jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-wolfssl.yml + test_tpm2_tss: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 timeout-minutes: 30 strategy: matrix: tpm2_tss_ref: [ '4.1.3'] - wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] @@ -62,7 +66,9 @@ jobs: - name: Build wolfProvider run: | - OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh + OPENSSL_TAG=${{ matrix.openssl_ref }} \ + WOLFSSL_TAG=${{ needs.discover_versions.outputs.latest_stable }} \ + ./scripts/build-wolfprovider.sh - name: Checkout tpm2-tss uses: actions/checkout@v4 diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 7c603278..36342e4a 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -25,16 +25,20 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-wolfssl.yml + simple_test: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Simple Test runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: matrix: - # PR matrix: newest stable wolfssl + newest 3.5 and oldest 3.0 OpenSSL - # = 1 x 2 x 1 x 2 = 4 jobs. Full sweep runs nightly. - wolfssl_ref: [ 'v5.8.4-stable' ] + # PR matrix: latest-stable wolfssl (resolved at runtime) + newest 3.5 + # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs. Full sweep runs nightly. openssl_ref: [ 'openssl-3.5.4', 'openssl-3.0.17'] @@ -51,7 +55,9 @@ jobs: - name: Build and test wolfProvider run: | - OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} + OPENSSL_TAG=${{ matrix.openssl_ref }} \ + WOLFSSL_TAG=${{ needs.discover_versions.outputs.latest_stable }} \ + ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} - name: Print errors if: ${{ failure() }} diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 6519d098..b294de6d 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -33,22 +33,24 @@ permissions: contents: read jobs: + discover_versions: + uses: ./.github/workflows/_discover-wolfssl.yml + smoke: - name: Smoke build (${{ matrix.config.name }}) + needs: discover_versions + name: Smoke build (${{ matrix.name }}) runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: fail-fast: false matrix: - config: + include: - name: master/openssl-3.5 wolfssl_ref: master openssl_ref: openssl-3.5.4 - extra: "" - name: stable/openssl-3.5 - wolfssl_ref: v5.8.4-stable + wolfssl_ref: '' # filled in from needs.discover_versions openssl_ref: openssl-3.5.4 - extra: "" steps: - name: Checkout wolfProvider @@ -58,9 +60,11 @@ jobs: - name: Build and test wolfProvider run: | - OPENSSL_TAG=${{ matrix.config.openssl_ref }} \ - WOLFSSL_TAG=${{ matrix.config.wolfssl_ref }} \ - ./scripts/build-wolfprovider.sh ${{ matrix.config.extra }} + # Substitute the resolved latest-stable for the "stable" matrix row. + WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.latest_stable }}" + OPENSSL_TAG=${{ matrix.openssl_ref }} \ + WOLFSSL_TAG="$WOLFSSL_TAG" \ + ./scripts/build-wolfprovider.sh - name: Print errors if: ${{ failure() }} From 71a618c710ef78a707bb71fa8ef3c0799071997b Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:44:51 -0700 Subject: [PATCH 05/26] ci: add retries, fail-fast: false, and nightly full sweep (Phase D + E2) Reliability (Phase D): - build-wolfprovider.yml: retry the ORAS install download (GitHub releases occasionally flake) and the ORAS pull of pre-built .deb packages from ghcr.io (the biggest single flake source per the triage). Three attempts with linear backoff (10s/15s). - Same retry wrapper around the Yocto WIC pull and the apt-get install of xz-utils. fail-fast: false on every multi-shard matrix (44 files, 73 matrix blocks). Reason: one apt-mirror or container-pull flake on shard 3 of 8 used to kill all 8 shards and force a full re-run. Now the healthy shards still report. Nightly full sweep (Phase E2): - New .github/workflows/nightly-full-sweep.yml on cron '0 6 * * *' plus workflow_dispatch. - Restores the simple.yml axes that PRs dropped: 2 wolfssl x 6 openssl x 2 debug x 2 replace_default = 48 jobs. - Curl/openssh/git-ssh-dr nightly expansions are a follow-up; those workflows need a workflow_call refactor first. --- .github/workflows/bind9.yml | 1 + .github/workflows/build-wolfprovider.yml | 62 ++++++++++++---- .github/workflows/cjose.yml | 2 + .github/workflows/cmdline.yml | 1 + .github/workflows/curl.yml | 2 + .github/workflows/debian-package.yml | 2 + .github/workflows/fips-ready.yml | 1 + .github/workflows/git-ssh-dr.yml | 2 + .github/workflows/grpc.yml | 1 + .github/workflows/hostap.yml | 2 + .github/workflows/iperf.yml | 2 + .github/workflows/krb5.yml | 2 + .github/workflows/libcryptsetup.yml | 1 + .github/workflows/libeac3.yml | 2 + .github/workflows/libfido2.yml | 2 + .github/workflows/libhashkit2.yml | 2 + .github/workflows/libnice.yml | 2 + .github/workflows/liboauth2.yml | 2 + .github/workflows/librelp.yml | 2 + .github/workflows/libssh2.yml | 2 + .github/workflows/libtss2.yml | 1 + .github/workflows/libwebsockets.yml | 2 + .github/workflows/net-snmp.yml | 1 + .github/workflows/nginx.yml | 2 + .github/workflows/nightly-full-sweep.yml | 90 ++++++++++++++++++++++++ .github/workflows/openldap.yml | 1 + .github/workflows/opensc.yml | 2 + .github/workflows/openssh.yml | 2 + .github/workflows/openssl-version.yml | 1 + .github/workflows/openvpn.yml | 1 + .github/workflows/pam-pkcs11.yml | 2 + .github/workflows/ppp.yml | 2 + .github/workflows/python3-ntp.yml | 2 + .github/workflows/qt5network5.yml | 2 + .github/workflows/rsync.yml | 2 + .github/workflows/seed-src.yml | 1 + .github/workflows/simple.yml | 1 + .github/workflows/socat.yml | 1 + .github/workflows/sscep.yml | 2 + .github/workflows/stunnel.yml | 2 + .github/workflows/systemd.yml | 1 + .github/workflows/tcpdump.yml | 2 + .github/workflows/tnftp.yml | 2 + .github/workflows/tpm2-tools.yml | 1 + .github/workflows/x11vnc.yml | 2 + .github/workflows/xmlsec.yml | 2 + 46 files changed, 212 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/nightly-full-sweep.yml diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 4ea8e7d5..61282909 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/build-wolfprovider.yml b/.github/workflows/build-wolfprovider.yml index 9c9bb9c5..5d6d81a8 100644 --- a/.github/workflows/build-wolfprovider.yml +++ b/.github/workflows/build-wolfprovider.yml @@ -90,7 +90,15 @@ jobs: run: | ORAS_VERSION="1.2.2" ORAS_CHECKSUM="bff970346470e5ef888e9f2c0bf7f8ee47283f5a45207d6e7a037da1fb0eae0d" - curl -sLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" + # GitHub releases are an occasional flake point; retry the download. + rm -f "oras_${ORAS_VERSION}_linux_amd64.tar.gz" + for attempt in 1 2 3; do + if curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"; then + break + fi + echo "ORAS download attempt $attempt failed." + [ "$attempt" -lt 3 ] && sleep $((attempt * 10)) + done echo "${ORAS_CHECKSUM} oras_${ORAS_VERSION}_linux_amd64.tar.gz" | sha256sum -c - || { echo "ERROR: ORAS checksum verification failed!" exit 1 @@ -115,26 +123,43 @@ jobs: mkdir -p ${{ env.WOLFSSL_PACKAGES_PATH }} mkdir -p ${{ env.OPENSSL_PACKAGES_PATH }} + # Retry ORAS pulls -- ghcr.io is the single biggest flake source + # in this CI, so don't let one transient network blip kill the + # whole matrix. + oras_pull_with_retry() { + local image="$1" + local outdir="$2" + for attempt in 1 2 3; do + if oras pull "$image" -o "$outdir"; then + return 0 + fi + echo "oras pull $image attempt $attempt failed." + [ "$attempt" -lt 3 ] && sleep $((attempt * 15)) + done + echo "ERROR: oras pull $image failed after 3 attempts." + return 1 + } + # Pull wolfSSL packages based on FIPS variant if [ "${{ inputs.fips_ref }}" = "FIPS" ]; then echo "Pulling FIPS wolfSSL packages..." - oras pull ghcr.io/wolfssl/wolfprovider/debs:fips \ - -o ${{ env.WOLFSSL_PACKAGES_PATH }} + oras_pull_with_retry ghcr.io/wolfssl/wolfprovider/debs:fips \ + ${{ env.WOLFSSL_PACKAGES_PATH }} else echo "Pulling non-FIPS wolfSSL packages..." - oras pull ghcr.io/wolfssl/wolfprovider/debs:nonfips \ - -o ${{ env.WOLFSSL_PACKAGES_PATH }} + oras_pull_with_retry ghcr.io/wolfssl/wolfprovider/debs:nonfips \ + ${{ env.WOLFSSL_PACKAGES_PATH }} fi # Pull OpenSSL packages based on replace_default setting if [ "${{ inputs.replace_default }}" = "true" ]; then echo "Pulling OpenSSL replace-default packages..." - oras pull ghcr.io/wolfssl/wolfprovider/debs:openssl-replace-default \ - -o ${{ env.OPENSSL_PACKAGES_PATH }} + oras_pull_with_retry ghcr.io/wolfssl/wolfprovider/debs:openssl-replace-default \ + ${{ env.OPENSSL_PACKAGES_PATH }} else echo "Pulling OpenSSL default packages..." - oras pull ghcr.io/wolfssl/wolfprovider/debs:openssl-default \ - -o ${{ env.OPENSSL_PACKAGES_PATH }} + oras_pull_with_retry ghcr.io/wolfssl/wolfprovider/debs:openssl-default \ + ${{ env.OPENSSL_PACKAGES_PATH }} fi # Validate that we actually got .deb files @@ -164,8 +189,13 @@ jobs: - name: Install xz-utils if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'yocto' run: | - apt-get update - apt-get install -y xz-utils + for attempt in 1 2 3; do + if apt-get update && apt-get install -y xz-utils; then + break + fi + echo "apt attempt $attempt failed." + [ "$attempt" -lt 3 ] && sleep $((attempt * 10)) + done - name: Download WIC images from ghcr.io if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'yocto' @@ -174,8 +204,14 @@ jobs: TAG="${{ steps.prepare_artifact_name.outputs.fips_str }}-${{ steps.prepare_artifact_name.outputs.config_str }}" echo "Pulling ghcr.io/wolfssl/wolfprovider/wics:${TAG}..." - oras pull "ghcr.io/wolfssl/wolfprovider/wics:${TAG}" \ - -o ${{ env.YOCTO_IMAGES_PATH }} + for attempt in 1 2 3; do + if oras pull "ghcr.io/wolfssl/wolfprovider/wics:${TAG}" \ + -o ${{ env.YOCTO_IMAGES_PATH }}; then + break + fi + echo "WIC pull attempt $attempt failed." + [ "$attempt" -lt 3 ] && sleep $((attempt * 15)) + done cd ${{ env.YOCTO_IMAGES_PATH }} diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index f3e666b7..54eb0dc3 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -66,6 +67,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: # Dont test osp master since it might be unstable cjose_ref: [ 'v0.6.2.1' ] diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index 6ece38fd..56dfe29e 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -31,6 +31,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: + fail-fast: false matrix: openssl_ref: [ 'master', 'openssl-3.5.0' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index decd1aa3..93590f44 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: # PR runs latest curl only; older refs run in the nightly sweep. curl_ref: [ 'curl-8_4_0' ] diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 7d5269af..08ce4bbb 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -67,6 +68,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index 3d1581e0..e444172f 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -31,6 +31,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: + fail-fast: false matrix: wolfssl_bundle_ref: [ '5.8.2' ] openssl_ref: [ 'openssl-3.5.0' ] diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 5ccc861a..866cc9e5 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -46,6 +46,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -63,6 +64,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 18ce6202..e371d3bd 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index b4d8de2e..5a528903 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -67,6 +68,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 90 strategy: + fail-fast: false matrix: hostap_ref: [ 'main' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 492a07ca..5d79c57d 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: iperf_ref: [ '3.12' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 1d86cfc9..7f95c584 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 30 strategy: + fail-fast: false matrix: krb5_ref: [ 'krb5-1.20.1-final' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 49a45e96..6f968940 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 43de06ce..36d0bf81 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: openpace_ref: [ '1.1.3' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 4f81ffdd..7a5d2cc9 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -44,6 +44,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -60,6 +61,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 strategy: + fail-fast: false matrix: libfido2_ref: [ '1.15.0' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 1fa16d1f..499c4a65 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: libhashkit2_ref: [ '1.1.4' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index ac4e9106..31fbd2bb 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -64,6 +65,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 strategy: + fail-fast: false matrix: libnice_ref: [ '0.1.21' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index 3a34f612..ab1b43ee 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -64,6 +65,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 strategy: + fail-fast: false matrix: liboauth2_ref: [ 'v1.4.5.4' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index ec170599..d74ca923 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -66,6 +67,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: # Dont test osp master since it might be unstable librelp_ref: [ 'v1.12.0' ] diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 471fe081..a9186235 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -64,6 +65,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 strategy: + fail-fast: false matrix: libssh2_ref: [ 'libssh2-1.10.0' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 990ac9ab..b78ea979 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -31,6 +31,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 30 strategy: + fail-fast: false matrix: tpm2_tss_ref: [ '4.1.3'] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 5b898a61..bc41e7bd 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: libwebsockets_ref: [ 'v4.3.3' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 02660fc8..90e23223 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index a9592b05..55594dc2 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: nginx_ref: [ 'release-1.27.4' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/nightly-full-sweep.yml b/.github/workflows/nightly-full-sweep.yml new file mode 100644 index 00000000..22dea1eb --- /dev/null +++ b/.github/workflows/nightly-full-sweep.yml @@ -0,0 +1,90 @@ +name: Nightly Full Sweep + +# Runs the coverage axes that PR matrices dropped in Phase A: +# - all 6 OpenSSL minor versions (PR runs 2) +# - both wolfssl refs (PR runs latest-stable only) +# - --debug variant (PR drops it) +# +# Lives on a cron, also workflow_dispatch for on-demand. Not wired into +# the smoke gate -- nightly runs are not subject to draft-PR logic. +# +# Follow-up: curl/openssh/git-ssh-dr matrix expansions (older refs, +# 10-iteration soak, additional key_types) need those workflows to be +# refactored into workflow_call form so this job can `uses:` them with +# overridden inputs. For now, only the simple-build sweep is here -- +# it's the biggest dropped surface (48 -> 4 jobs). + +on: + schedule: + # 06:00 UTC daily -- mid-evening US Pacific. Pick a time when runner + # contention is low so the 48-job matrix doesn't fight PR CI. + - cron: '0 6 * * *' + workflow_dispatch: + inputs: + reason: + description: 'Why is this being run manually? (annotation only)' + required: false + default: 'manual full-sweep' + +concurrency: + group: nightly-full-sweep + cancel-in-progress: false + +permissions: + contents: read + +jobs: + discover_versions: + uses: ./.github/workflows/_discover-wolfssl.yml + + full_simple_sweep: + name: Simple sweep (${{ matrix.wolfssl_ref }}/${{ matrix.openssl_ref }}${{ matrix.debug }}${{ matrix.replace_default && ' replace-default' || '' }}) + needs: discover_versions + runs-on: ubuntu-22.04 + timeout-minutes: 30 + strategy: + fail-fast: false + matrix: + # Full sweep: 2 wolfssl x 6 openssl x 2 debug x 2 replace_default = 48 jobs. + # PR runs 4 of these (newest+oldest OpenSSL, no --debug, latest-stable wolfssl). + wolfssl_ref: + - master + - latest-stable + openssl_ref: + - openssl-3.5.4 + - openssl-3.4.2 + - openssl-3.3.4 + - openssl-3.2.5 + - openssl-3.1.8 + - openssl-3.0.17 + debug: ['', '--debug'] + replace_default: + - '' + - '--replace-default --enable-replace-default-testing' + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Resolve wolfssl tag + id: resolve + run: | + if [ "${{ matrix.wolfssl_ref }}" = "latest-stable" ]; then + echo "tag=${{ needs.discover_versions.outputs.latest_stable }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ matrix.wolfssl_ref }}" >> "$GITHUB_OUTPUT" + fi + + - name: Build and test wolfProvider + run: | + OPENSSL_TAG=${{ matrix.openssl_ref }} \ + WOLFSSL_TAG=${{ steps.resolve.outputs.tag }} \ + ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} + + - name: Print errors + if: ${{ failure() }} + run: | + if [ -f test-suite.log ] ; then + cat test-suite.log + fi diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index fd2c9f57..ac05af92 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 01e0cd8b..a85ea16c 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 30 strategy: + fail-fast: false matrix: opensc_ref: [ '0.25.1' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index ebda31e2..6af01923 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -75,6 +76,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: # PR runs latest openssh only; older refs run in the nightly sweep. openssh_ref: [ 'V_10_0_P2' ] diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 64307c35..d018908c 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -32,6 +32,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 30 strategy: + fail-fast: false matrix: wolfssl_ref: ['v5.8.4-stable'] openssl_ref: [ diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 421f4713..da944a5f 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 8f07e3f7..bae3debe 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: pam_pkcs11_ref: [ 'pam_pkcs11-0.6.12' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index bac1baef..7b5f0061 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -46,6 +46,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -62,6 +63,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 strategy: + fail-fast: false matrix: # Switched to v2.5.2 due to significant limitations with v2.4.9, # specifically the lack of a test suite, necessary configure options, diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 29e1d76d..b2a185ec 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -69,6 +70,7 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages strategy: + fail-fast: false matrix: python3-ntp_ref: [ 'NTPsec_1_2_2' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index af29b9f0..311fe3eb 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -45,6 +45,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -61,6 +62,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 40 strategy: + fail-fast: false matrix: qt_ref: [ 'v5.15.8-lts-lgpl' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 96ec9e7c..3502e0ea 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -45,6 +45,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages strategy: + fail-fast: false matrix: rsync_ref: [ 'v3.2.7' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 4489d4fc..82e62efe 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -31,6 +31,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: + fail-fast: false matrix: wolfssl_ref: [ 'master', diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 36342e4a..09d2eaa6 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -36,6 +36,7 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 20 strategy: + fail-fast: false matrix: # PR matrix: latest-stable wolfssl (resolved at runtime) + newest 3.5 # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs. Full sweep runs nightly. diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 1b48c8b8..9f510694 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 35778e3c..8d737eb6 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -68,6 +69,7 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages strategy: + fail-fast: false matrix: sscep_ref: [ 'v0.10.0' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index e54a520a..8e6dbf16 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 10 strategy: + fail-fast: false matrix: stunnel_ref: [ 'stunnel-5.67' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index 44154571..b56e8e7d 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index ffcd0b3a..948bb522 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -45,6 +45,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -62,6 +63,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 strategy: + fail-fast: false matrix: tcpdump_ref: [ 'tcpdump-4.99.3' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 53977cfc..7d143a79 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -65,6 +66,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: tnftp_ref: [ 'tnftp-20210827' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 6446a858..2cc9e669 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 482f5921..e0e051a0 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -48,6 +48,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -64,6 +65,7 @@ jobs: DEBIAN_FRONTEND: noninteractive timeout-minutes: 10 strategy: + fail-fast: false matrix: x11vnc_ref: [ '0.9.17' ] wolfssl_ref: [ 'v5.8.4-stable' ] diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index decb647e..2db0a57d 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -21,6 +21,7 @@ jobs: fips_ref: ${{ matrix.fips_ref }} replace_default: ${{ matrix.replace_default }} strategy: + fail-fast: false matrix: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] @@ -38,6 +39,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: + fail-fast: false matrix: xmlsec_ref: [ 'xmlsec-1_2_37' ] wolfssl_ref: [ 'v5.8.4-stable' ] From abc0e72fbe22454213df374f4ba4577649f05ee1 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:45:53 -0700 Subject: [PATCH 06/26] ci: drop nightly-full-sweep.yml Adding a 48-job cron sweep to a repo that is already throttled on shared runners works against the goal of this PR. The coverage that left the PR matrix (older OpenSSL versions, --debug variant, second external project refs) is not lost: it remains in simple.yml's full matrix on master pushes, and a follow-up can wire a workflow_dispatch trigger so a release engineer can fan it out on demand. --- .github/workflows/nightly-full-sweep.yml | 90 ------------------------ 1 file changed, 90 deletions(-) delete mode 100644 .github/workflows/nightly-full-sweep.yml diff --git a/.github/workflows/nightly-full-sweep.yml b/.github/workflows/nightly-full-sweep.yml deleted file mode 100644 index 22dea1eb..00000000 --- a/.github/workflows/nightly-full-sweep.yml +++ /dev/null @@ -1,90 +0,0 @@ -name: Nightly Full Sweep - -# Runs the coverage axes that PR matrices dropped in Phase A: -# - all 6 OpenSSL minor versions (PR runs 2) -# - both wolfssl refs (PR runs latest-stable only) -# - --debug variant (PR drops it) -# -# Lives on a cron, also workflow_dispatch for on-demand. Not wired into -# the smoke gate -- nightly runs are not subject to draft-PR logic. -# -# Follow-up: curl/openssh/git-ssh-dr matrix expansions (older refs, -# 10-iteration soak, additional key_types) need those workflows to be -# refactored into workflow_call form so this job can `uses:` them with -# overridden inputs. For now, only the simple-build sweep is here -- -# it's the biggest dropped surface (48 -> 4 jobs). - -on: - schedule: - # 06:00 UTC daily -- mid-evening US Pacific. Pick a time when runner - # contention is low so the 48-job matrix doesn't fight PR CI. - - cron: '0 6 * * *' - workflow_dispatch: - inputs: - reason: - description: 'Why is this being run manually? (annotation only)' - required: false - default: 'manual full-sweep' - -concurrency: - group: nightly-full-sweep - cancel-in-progress: false - -permissions: - contents: read - -jobs: - discover_versions: - uses: ./.github/workflows/_discover-wolfssl.yml - - full_simple_sweep: - name: Simple sweep (${{ matrix.wolfssl_ref }}/${{ matrix.openssl_ref }}${{ matrix.debug }}${{ matrix.replace_default && ' replace-default' || '' }}) - needs: discover_versions - runs-on: ubuntu-22.04 - timeout-minutes: 30 - strategy: - fail-fast: false - matrix: - # Full sweep: 2 wolfssl x 6 openssl x 2 debug x 2 replace_default = 48 jobs. - # PR runs 4 of these (newest+oldest OpenSSL, no --debug, latest-stable wolfssl). - wolfssl_ref: - - master - - latest-stable - openssl_ref: - - openssl-3.5.4 - - openssl-3.4.2 - - openssl-3.3.4 - - openssl-3.2.5 - - openssl-3.1.8 - - openssl-3.0.17 - debug: ['', '--debug'] - replace_default: - - '' - - '--replace-default --enable-replace-default-testing' - steps: - - name: Checkout wolfProvider - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - - name: Resolve wolfssl tag - id: resolve - run: | - if [ "${{ matrix.wolfssl_ref }}" = "latest-stable" ]; then - echo "tag=${{ needs.discover_versions.outputs.latest_stable }}" >> "$GITHUB_OUTPUT" - else - echo "tag=${{ matrix.wolfssl_ref }}" >> "$GITHUB_OUTPUT" - fi - - - name: Build and test wolfProvider - run: | - OPENSSL_TAG=${{ matrix.openssl_ref }} \ - WOLFSSL_TAG=${{ steps.resolve.outputs.tag }} \ - ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} - - - name: Print errors - if: ${{ failure() }} - run: | - if [ -f test-suite.log ] ; then - cat test-suite.log - fi From 1f356ff1f5da3c228d54d5f57d3c95bf97ba44b6 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 11:46:27 -0700 Subject: [PATCH 07/26] ci: drop nightly-sweep references from workflow comments --- .github/workflows/curl.yml | 2 +- .github/workflows/git-ssh-dr.yml | 2 +- .github/workflows/openssh.yml | 2 +- .github/workflows/simple.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 93590f44..0e6132fa 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -68,7 +68,7 @@ jobs: strategy: fail-fast: false matrix: - # PR runs latest curl only; older refs run in the nightly sweep. + # PR runs latest curl only. Older refs are exercised at release time. curl_ref: [ 'curl-8_4_0' ] wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 866cc9e5..a7c03e26 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -71,7 +71,7 @@ jobs: fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # PR matrix: 2 of 4 key types and 3 iterations. - # Full key_type sweep + 10-iteration soak runs nightly. + # Other key_types and longer soak runs are exercised at release time. key_type: [ 'rsa', 'ed25519' ] force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] iterations: [ 3 ] diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 6af01923..5439d831 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -78,7 +78,7 @@ jobs: strategy: fail-fast: false matrix: - # PR runs latest openssh only; older refs run in the nightly sweep. + # PR runs latest openssh only. Older refs exercised at release time. openssh_ref: [ 'V_10_0_P2' ] wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 09d2eaa6..0f595f0d 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -39,7 +39,7 @@ jobs: fail-fast: false matrix: # PR matrix: latest-stable wolfssl (resolved at runtime) + newest 3.5 - # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs. Full sweep runs nightly. + # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs. openssl_ref: [ 'openssl-3.5.4', 'openssl-3.0.17'] From da865b3b553e577e70620769d0ffe4e330dfac89 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 12:00:31 -0700 Subject: [PATCH 08/26] ci: collapse force_fail matrix axis into sequential test runs (Phase B) Every app workflow doubled its test matrix on force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] -- two jobs that shared the same build artifact, the same apt-installed dependencies, and ~95% of the same wall time, just to flip one env var. Drop the matrix axis and run both modes back-to-back inside one job. Each test step now contains: # --- normal mode --- | tee X-test-normal.log check-workflow-result.sh $? "" X # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 | tee X-test-ff.log check-workflow-result.sh $? "WOLFPROV_FORCE_FAIL=1" X 42 workflows, ~72 jobs/PR removed without dropping coverage. Special cases handled in-place: - bind9.yml: split the combined build-and-test step so autoreconf + configure + make run once, tests run twice. - hostap.yml: hwsim VM runs require rewriting vm/inside.sh per mode. Two setup steps and two test rounds (smoke + EAP) per mode. - curl.yml: cert-gen branch on curl=master is now unconditional for that ref (no longer gated on force_fail). - openldap.yml: keep the 15-minute timeout and exit-code 124 handling only on the force-fail round (WPFF hangs on test 067). - openvpn.yml: set +e/-e wrapped per round (force-fail run is allowed to return non-zero; check-workflow-result.sh interprets). - grpc.yml, x11vnc.yml: extracted a per-round shell function so the matrix.tests loop / test_x11vnc.sh wrapper isn't duplicated by hand. - iperf.yml: kill+wait the iperf3 server between rounds so the second round can bind the same port. - sssd.yml: set +e/-e only around the force-fail make check (the pre-existing "if WOLFPROV_FORCE_FAIL set +e" conditional collapsed). - xmlsec.yml: two test-keys + check-enc log pairs. - debian-package.yml: use env to inject REPLACE_DEFAULT, ISFIPS, and optionally WOLFPROV_FORCE_FAIL into do-cmd-tests.sh. --- .github/workflows/bind9.yml | 13 ++-- .github/workflows/cjose.yml | 15 ++-- .github/workflows/cmdline.yml | 9 ++- .github/workflows/curl.yml | 22 +++--- .github/workflows/debian-package.yml | 13 +++- .github/workflows/fips-ready.yml | 9 ++- .github/workflows/git-ssh-dr.yml | 12 +++- .github/workflows/grpc.yml | 64 +++++++++-------- .github/workflows/hostap.yml | 104 ++++++++++++++++----------- .github/workflows/iperf.yml | 37 ++++++---- .github/workflows/krb5.yml | 15 ++-- .github/workflows/libcryptsetup.yml | 17 +++-- .github/workflows/libeac3.yml | 17 ++++- .github/workflows/libfido2.yml | 22 ++++-- .github/workflows/libhashkit2.yml | 20 ++++-- .github/workflows/libnice.yml | 17 +++-- .github/workflows/liboauth2.yml | 16 +++-- .github/workflows/librelp.yml | 16 +++-- .github/workflows/libssh2.yml | 18 +++-- .github/workflows/libtss2.yml | 16 ++++- .github/workflows/libwebsockets.yml | 24 ++++++- .github/workflows/net-snmp.yml | 16 +++-- .github/workflows/nginx.yml | 15 ++-- .github/workflows/openldap.yml | 37 +++++----- .github/workflows/opensc.yml | 17 +++-- .github/workflows/openssh.yml | 46 ++++++++++-- .github/workflows/openvpn.yml | 23 +++--- .github/workflows/pam-pkcs11.yml | 21 +++++- .github/workflows/ppp.yml | 22 ++++-- .github/workflows/python3-ntp.yml | 19 +++-- .github/workflows/qt5network5.yml | 24 +++++-- .github/workflows/rsync.yml | 22 ++++-- .github/workflows/socat.yml | 17 +++-- .github/workflows/sscep.yml | 14 ++-- .github/workflows/sssd.yml | 21 +++--- .github/workflows/stunnel.yml | 31 +++++++- .github/workflows/systemd.yml | 15 +++- .github/workflows/tcpdump.yml | 16 +++-- .github/workflows/tnftp.yml | 43 +++++++++-- .github/workflows/tpm2-tools.yml | 24 +++++-- .github/workflows/x11vnc.yml | 34 ++++++--- .github/workflows/xmlsec.yml | 24 +++++-- 42 files changed, 723 insertions(+), 274 deletions(-) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 61282909..a3c009b9 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -158,7 +157,13 @@ jobs: make -j$(nproc) ./bin/tests/system/ifconfig.sh up - export ${{ matrix.force_fail }} - make -j$(nproc) check 2>&1 | tee bind9-test.log + # --- normal mode --- + make -j$(nproc) check 2>&1 | tee bind9-test-normal.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} bind9 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" bind9 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + make -j$(nproc) check 2>&1 | tee bind9-test-ff.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" bind9 diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 54eb0dc3..0ef0db65 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -74,7 +74,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -141,9 +140,17 @@ jobs: - name: Run cjose tests working-directory: cjose run: | - export ${{ matrix.force_fail }} + # --- normal mode --- - make test 2>&1 | tee cjose-test.log + make test 2>&1 | tee cjose-test-normal.log TEST_RESULT=$(grep -q "FAIL: check_cjose" cjose-test.log && echo "1" || echo "0") echo "TEST_RESULT = $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} cjose + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" cjose + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + make test 2>&1 | tee cjose-test-ff.log + TEST_RESULT=$(grep -q "FAIL: check_cjose" cjose-test.log && echo "1" || echo "0") + echo "TEST_RESULT = $TEST_RESULT" + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" cjose diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index 56dfe29e..c09dd047 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -35,8 +35,8 @@ jobs: matrix: openssl_ref: [ 'master', 'openssl-3.5.0' ] wolfssl_ref: [ 'v5.8.4-stable' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] debug: ['WOLFPROV_DEBUG=1', ''] + # force_fail collapsed into sequential test runs below steps: - name: Checkout wolfProvider uses: actions/checkout@v4 @@ -50,4 +50,9 @@ jobs: - name: Run tests run: | source scripts/env-setup - ${{ matrix.force_fail }} ${{ matrix.debug }} ./scripts/cmd_test/do-cmd-tests.sh + + # --- normal mode --- + ${{ matrix.debug }} ./scripts/cmd_test/do-cmd-tests.sh + + # --- force-fail mode --- + WOLFPROV_FORCE_FAIL=1 ${{ matrix.debug }} ./scripts/cmd_test/do-cmd-tests.sh diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 0e6132fa..8ae147f0 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -73,8 +73,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -132,25 +132,29 @@ jobs: - name: Generate certificates for curl master force-fail tests run: | - if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ] && - [ "${{ matrix.curl_ref }}" = "master" ]; then + # Only curl master needs these test certs for force-fail mode. + if [ "${{ matrix.curl_ref }}" = "master" ]; then cd curl/tests/certs make test-ca.cacert cd ../.. fi + - name: Test curl with wolfProvider working-directory: curl shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} export CURL_REF=${{ matrix.curl_ref }} - # Tests rely on $USER being set export USER=testuser - # Run tests and save output to test.log - make -j$(nproc) test-ci 2>&1 | tee curl-test.log - # Capture the test result using PIPESTATUS (Bash only) + # --- normal mode --- + make -j$(nproc) test-ci 2>&1 | tee curl-test-normal.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" curl + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + make -j$(nproc) test-ci 2>&1 | tee curl-test-ff.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} curl + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" curl diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 08ce4bbb..71b2be2d 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -74,7 +74,7 @@ jobs: openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true, false ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -137,8 +137,15 @@ jobs: shell: bash run: | # Run the do-cmd-test.sh script to execute interoperability tests - echo "Running OpenSSL provider interoperability tests..." - OPENSSL_BIN=$(eval which openssl) ${{ matrix.replace_default && 'WOLFPROV_REPLACE_DEFAULT=1' || '' }} ${{ matrix.force_fail }} ${{ matrix.fips_ref == 'FIPS' && 'WOLFSSL_ISFIPS=1' || '' }} ./scripts/cmd_test/do-cmd-tests.sh + export OPENSSL_BIN=$(eval which openssl) + REPLACE_DEFAULT="${{ matrix.replace_default && 'WOLFPROV_REPLACE_DEFAULT=1' || '' }}" + ISFIPS="${{ matrix.fips_ref == 'FIPS' && 'WOLFSSL_ISFIPS=1' || '' }}" + + echo "Running interoperability tests (normal mode)..." + env $REPLACE_DEFAULT $ISFIPS ./scripts/cmd_test/do-cmd-tests.sh + + echo "Running interoperability tests (force-fail mode)..." + env $REPLACE_DEFAULT WOLFPROV_FORCE_FAIL=1 $ISFIPS ./scripts/cmd_test/do-cmd-tests.sh echo "PASS: All provider interoperability tests successful" - name: Uninstall package and verify cleanup diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index e444172f..69fa42b5 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -35,7 +35,7 @@ jobs: matrix: wolfssl_bundle_ref: [ '5.8.2' ] openssl_ref: [ 'openssl-3.5.0' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] + # force_fail collapsed into sequential runs in the test step steps: - name: Checkout wolfProvider uses: actions/checkout@v4 @@ -70,7 +70,10 @@ jobs: run: | # Run cmd tests to verify functionality export WOLFSSL_ISFIPS=1 - export ${{matrix.force_fail}} source scripts/env-setup - ${{ matrix.force_fail }} ./scripts/cmd_test/do-cmd-tests.sh + # --- normal mode --- + ./scripts/cmd_test/do-cmd-tests.sh + + # --- force-fail mode --- + WOLFPROV_FORCE_FAIL=1 ./scripts/cmd_test/do-cmd-tests.sh diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index a7c03e26..d2d38c2f 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -73,8 +73,8 @@ jobs: # PR matrix: 2 of 4 key types and 3 iterations. # Other key_types and longer soak runs are exercised at release time. key_type: [ 'rsa', 'ed25519' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] iterations: [ 3 ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -132,8 +132,14 @@ jobs: echo "Testing with key type: ${{ matrix.key_type }}" echo "Running ${{ matrix.iterations }} iterations" - # Run the scripts test - ${{ matrix.force_fail }} ./scripts/test-git-ssh-dr.sh \ + # --- normal mode --- + ./scripts/test-git-ssh-dr.sh \ + --key-types "${{ matrix.key_type }}" \ + --iterations "${{ matrix.iterations }}" \ + --verbose + + # --- force-fail mode --- + WOLFPROV_FORCE_FAIL=1 ./scripts/test-git-ssh-dr.sh \ --key-types "${{ matrix.key_type }}" \ --iterations "${{ matrix.iterations }}" \ --verbose diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index e371d3bd..5b848ea4 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -79,8 +79,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -178,33 +178,37 @@ jobs: # Start the port server ./tools/run_tests/start_port_server.py - export ${{ matrix.force_fail }} - set +e - - # Run the tests - all_passed=1 - for t in ${{ matrix.tests }} ; do - echo "===================================" - echo "Running test: $t" - echo "Force fail: ${{ matrix.force_fail }}" - echo "===================================" - ./cmake/build/$t - exit_code=$? - if [ $exit_code -ne 0 ]; then - echo "Test $t FAILED with exit code $exit_code" - echo "Force fail: ${{ matrix.force_fail }}" - all_passed=0 + run_grpc_round() { + local mode_label="$1" + local ff_arg="$2" + local all_passed=1 + set +e + for t in ${{ matrix.tests }} ; do + echo "===================================" + echo "Running test: $t (mode: $mode_label)" + echo "===================================" + ./cmake/build/$t + local exit_code=$? + if [ $exit_code -ne 0 ]; then + echo "Test $t FAILED with exit code $exit_code (mode: $mode_label)" + all_passed=0 + fi + done + set -e + local result + if [ $all_passed -eq 1 ]; then + result=0 + echo "ALL TESTS PASSED (mode: $mode_label)" + else + result=1 + echo "SOME TESTS FAILED (mode: $mode_label)" fi - done - - set -e - if [ $all_passed -eq 1 ]; then - echo "ALL TESTS PASSED" - TEST_RESULT=0 - else - echo "SOME TESTS FAILED" - TEST_RESULT=1 - fi - - # Check results - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} grpc + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $result "$ff_arg" grpc + } + + # --- normal mode --- + run_grpc_round normal "" + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + run_grpc_round ff "WOLFPROV_FORCE_FAIL=1" diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 5a528903..613bb81d 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -73,9 +73,9 @@ jobs: hostap_ref: [ 'main' ] wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] + # force_fail collapsed into sequential VM test rounds below env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -184,9 +184,10 @@ jobs: LIBS += -lssl -lcrypto EOF - - name: Setup non-WPFF environment + # The non-WPFF env writes vm/inside.sh without WOLFPROV_FORCE_FAIL=1. + # The WPFF round below re-writes vm/inside.sh with that export added. + - name: Setup non-WPFF environment (round 1) working-directory: hostap/tests/hwsim - if: matrix.force_fail == '' run: | cd vm && git checkout inside.sh 2>/dev/null || true && cd .. sed -i '115 r /dev/stdin' vm/inside.sh <<'ENVEOF' @@ -202,25 +203,6 @@ jobs: export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 ENVEOF - - name: Setup WPFF environment - working-directory: hostap/tests/hwsim - if: matrix.force_fail == 'WOLFPROV_FORCE_FAIL=1' - run: | - cd vm && git checkout inside.sh 2>/dev/null || true && cd .. - sed -i '115 r /dev/stdin' vm/inside.sh <<'ENVEOF' - cat > /tmp/bin/halt << 'HALTEOF' - #!/bin/sh - sync - exit 0 - HALTEOF - chmod +x /tmp/bin/halt - OPENSSL_MODULES_PATH=$(find /usr -name "libwolfprov.so" -exec dirname {} \; 2>/dev/null | head -1) - [ -n "$OPENSSL_MODULES_PATH" ] && export OPENSSL_MODULES="$OPENSSL_MODULES_PATH" - export OPENSSL_CONF="/etc/ssl/openssl.cnf" - export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 - export WOLFPROV_FORCE_FAIL=1 - ENVEOF - - name: Update certs working-directory: hostap/tests/hwsim/auth_serv run: ./update.sh @@ -235,7 +217,7 @@ jobs: ldd hostapd/hostapd | grep ssl ldd wpa_supplicant/wpa_supplicant | grep ssl - - name: Run focused tests + - name: Run focused tests (normal mode) id: testing working-directory: hostap/tests/hwsim/ continue-on-error: true @@ -246,6 +228,7 @@ jobs: # Run smoke tests SMOKE_TESTS="ap_open ap_wpa2_psk discovery" + rm -rf /tmp/hwsim-test-logs timeout 3m ./vm/parallel-vm.py --nocurses $(nproc) $SMOKE_TESTS || SMOKE_RES=$? # Run EAP tests (excluding MSCHAPv2 - requires MD4/DES not in wolfSSL) @@ -258,9 +241,6 @@ jobs: FINAL_RES=1 fi - # Check for connection failures (common with WOLFPROV_FORCE_FAIL) - WPA_CONNECT_FAILS=$(grep -h "Could not connect to /tmp/wpas" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | wc -l || echo "0") - # Ignore NOT-FOUND errors (test files missing/require special params) NOT_FOUND=$(grep -h "NOT-FOUND" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | wc -l || echo "0") REAL_FAILS=$(grep -h "Failed:" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | grep -v "NOT-FOUND" | wc -l || echo "0") @@ -268,22 +248,60 @@ jobs: FINAL_RES=0 fi - # Check results based on test mode - if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ]; then - # With force fail, we expect failures or connection issues - if [ $FINAL_RES -ne 0 ] || [ "$WPA_CONNECT_FAILS" -gt "0" ]; then - echo "✓ EXPECTED: Tests failed/crashed with WOLFPROV_FORCE_FAIL=1" - exit 0 - else - echo "✗ UNEXPECTED: Tests passed with WOLFPROV_FORCE_FAIL=1" - exit 1 - fi + if [ $FINAL_RES -eq 0 ]; then + echo "✓ SUCCESS: wolfProvider tests passed" + exit 0 + else + echo "✗ FAILURE: wolfProvider tests failed" + exit 1 + fi + + - name: Setup WPFF environment (round 2) + working-directory: hostap/tests/hwsim + run: | + cd vm && git checkout inside.sh 2>/dev/null || true && cd .. + sed -i '115 r /dev/stdin' vm/inside.sh <<'ENVEOF' + cat > /tmp/bin/halt << 'HALTEOF' + #!/bin/sh + sync + exit 0 + HALTEOF + chmod +x /tmp/bin/halt + OPENSSL_MODULES_PATH=$(find /usr -name "libwolfprov.so" -exec dirname {} \; 2>/dev/null | head -1) + [ -n "$OPENSSL_MODULES_PATH" ] && export OPENSSL_MODULES="$OPENSSL_MODULES_PATH" + export OPENSSL_CONF="/etc/ssl/openssl.cnf" + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + export WOLFPROV_FORCE_FAIL=1 + ENVEOF + + - name: Run focused tests (force-fail mode) + working-directory: hostap/tests/hwsim/ + continue-on-error: true + run: | + set +e + + SMOKE_RES=0 + TLS_RES=0 + + SMOKE_TESTS="ap_open ap_wpa2_psk discovery" + rm -rf /tmp/hwsim-test-logs + timeout 3m ./vm/parallel-vm.py --nocurses $(nproc) $SMOKE_TESTS || SMOKE_RES=$? + + TLS_EAP_TESTS="ap_wpa2_eap_tls ap_wpa2_eap_ttls_eap_gtc ap_wpa2_eap_peap_eap_tls" + timeout 5m ./vm/parallel-vm.py --nocurses $(nproc) $TLS_EAP_TESTS || TLS_RES=$? + + FINAL_RES=0 + if [ "${SMOKE_RES:-0}" -ne "0" ] || [ "${TLS_RES:-0}" -ne "0" ]; then + FINAL_RES=1 + fi + + WPA_CONNECT_FAILS=$(grep -h "Could not connect to /tmp/wpas" /tmp/hwsim-test-logs/*-parallel.log 2>/dev/null | wc -l || echo "0") + + # With force fail, we expect failures or connection issues + if [ $FINAL_RES -ne 0 ] || [ "$WPA_CONNECT_FAILS" -gt "0" ]; then + echo "✓ EXPECTED: Tests failed/crashed with WOLFPROV_FORCE_FAIL=1" + exit 0 else - if [ $FINAL_RES -eq 0 ]; then - echo "✓ SUCCESS: wolfProvider tests passed" - exit 0 - else - echo "✗ FAILURE: wolfProvider tests failed" - exit 1 - fi + echo "✗ UNEXPECTED: Tests passed with WOLFPROV_FORCE_FAIL=1" + exit 1 fi diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 5d79c57d..27f0bc14 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -152,24 +151,34 @@ jobs: - name: Run tests working-directory: iperf run: | - export ${{ matrix.force_fail }} - - # Test variables for iperf + # Test variables for iperf (shared across both modes) export IPERF3_EXECUTABLE=$GITHUB_WORKSPACE/iperf/src/iperf3 export IPERF3_LIB=$GITHUB_WORKSPACE/iperf/src/.libs/libiperf.so export IPERF3_TEST_INTERVAL=0.1 export IPERF3_TEST_DURATION=10 - export IPERF3_TEST_LOG=iperf-test.log export IPERF3_USER=mario export IPERF3_PASSWORD=rossi export KEY_DIR=$GITHUB_WORKSPACE/test-keys - # Launch the iperf server in the background - $IPERF3_EXECUTABLE -s \ - --rsa-private-key-path $KEY_DIR/rsa_private_unprotected.pem \ - --authorized-users-path $KEY_DIR/credentials.csv & - - # Run the client - $IPERF3_EXECUTABLE -c localhost -i $IPERF3_TEST_INTERVAL -t $IPERF3_TEST_DURATION \ - --rsa-public-key-path $KEY_DIR/rsa_public.pem \ - --user $IPERF3_USER | tee $IPERF3_TEST_LOG \ + run_iperf_round() { + local mode="$1" + local log="iperf-test-${mode}.log" + # Server in the background per round + $IPERF3_EXECUTABLE -s \ + --rsa-private-key-path $KEY_DIR/rsa_private_unprotected.pem \ + --authorized-users-path $KEY_DIR/credentials.csv & + local server_pid=$! + sleep 1 + $IPERF3_EXECUTABLE -c localhost -i $IPERF3_TEST_INTERVAL -t $IPERF3_TEST_DURATION \ + --rsa-public-key-path $KEY_DIR/rsa_public.pem \ + --user $IPERF3_USER | tee "$log" + kill "$server_pid" 2>/dev/null || true + wait "$server_pid" 2>/dev/null || true + } + + # --- normal mode --- + run_iperf_round normal + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + run_iperf_round ff diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 7f95c584..670cbe6a 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -165,9 +164,17 @@ jobs: make -j$(nproc) make install - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests and save output - make check 2>&1 | tee krb5-test.log + make check 2>&1 | tee krb5-test-normal.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} krb5 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" krb5 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests and save output + make check 2>&1 | tee krb5-test-ff.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" krb5 diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 6f968940..96b8aced 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -164,11 +163,21 @@ jobs: - name: Run cryptsetup tests working-directory: cryptsetup run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # from the cryptsetup source root make -j$(nproc) - make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test.log + make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test-normal.log TEST_RESULT=$(grep -q "All 3 tests passed" cryptsetup-test.log && echo "0" || echo "1") printf "TEST_RESULT: $TEST_RESULT\n" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} cryptsetup + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" cryptsetup + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # from the cryptsetup source root + make -j$(nproc) + make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test-ff.log + TEST_RESULT=$(grep -q "All 3 tests passed" cryptsetup-test.log && echo "0" || echo "1") + printf "TEST_RESULT: $TEST_RESULT\n" + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" cryptsetup diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 36d0bf81..fc61b781 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -155,7 +154,7 @@ jobs: - name: Run libeac3 tests working-directory: openpace run: | - export ${{ matrix.force_fail }} + # --- normal mode --- ./src/eactest > libeac3-test.log || echo "eactest failed with exit code $?" cat libeac3-test.log @@ -164,4 +163,16 @@ jobs: else TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libeac3 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libeac3 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + ./src/eactest > libeac3-test.log || echo "eactest failed with exit code $?" + cat libeac3-test.log + + if grep -q "Everything works as expected." libeac3-test.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libeac3 diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 7a5d2cc9..2d55de06 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -67,7 +67,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -154,10 +153,10 @@ jobs: - name: Run libfido2 tests working-directory: libfido2_repo/build run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests, excluding regress_dev which requires hardware/fails in CI - ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test.log + ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test-normal.log # Check test results directly in YAML if grep -q "100% tests passed" libfido2-test.log; then @@ -166,4 +165,19 @@ jobs: TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libfido2 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libfido2 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests, excluding regress_dev which requires hardware/fails in CI + ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test-ff.log + + # Check test results directly in YAML + if grep -q "100% tests passed" libfido2-test.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libfido2 diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 499c4a65..e3514ab1 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -139,9 +138,9 @@ jobs: - name: Run libhashkit2 tests working-directory: libmemcached/build run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests - make test 2>&1 | tee libhashkit2-test.log + make test 2>&1 | tee libhashkit2-test-normal.log if grep -q "(Failed)" libhashkit2-test.log; then TEST_RESULT=1 else @@ -149,4 +148,17 @@ jobs: fi echo "TEST_RESULT = $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libhashkit2 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libhashkit2 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + # Run tests + make test 2>&1 | tee libhashkit2-test-ff.log + if grep -q "(Failed)" libhashkit2-test.log; then + TEST_RESULT=1 + else + TEST_RESULT=0 + fi + echo "TEST_RESULT = $TEST_RESULT" + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libhashkit2 diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index 31fbd2bb..0749e743 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -71,7 +71,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -149,11 +148,21 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from ninja test - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests and save output to test.log - ninja -C builddir test 2>&1 | tee libnice_test.log + ninja -C builddir test 2>&1 | tee libnice_test-normal.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libnice + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libnice + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests and save output to test.log + ninja -C builddir test 2>&1 | tee libnice_test-ff.log + + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libnice diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index ab1b43ee..54a5b8ed 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -71,7 +71,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -150,10 +149,19 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Build and run tests - make check 2>&1 | tee liboauth2-test.log + make check 2>&1 | tee liboauth2-test-normal.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} liboauth2 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" liboauth2 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Build and run tests + make check 2>&1 | tee liboauth2-test-ff.log + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" liboauth2 diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index d74ca923..86b9fede 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -74,8 +74,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -141,7 +141,13 @@ jobs: - name: Run librelp tests working-directory: librelp run: | - ${{ matrix.force_fail }} make check 2>&1 | tee librelp-test.log - TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test.log && echo "0" || echo "1") - echo "TEST_RESULT = $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} librelp + # --- normal mode --- + make check 2>&1 | tee librelp-test-normal.log + TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test-normal.log && echo "0" || echo "1") + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" librelp + + # --- force-fail mode --- + make clean + WOLFPROV_FORCE_FAIL=1 make check 2>&1 | tee librelp-test-ff.log + TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test-ff.log && echo "0" || echo "1") + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" librelp diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index a9186235..33062984 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -71,7 +71,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -151,12 +150,23 @@ jobs: working-directory: libssh2 shell: bash run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Always continue on errors to ensure we show test results set +e # Run the tests and capture the result set -o pipefail - make check 2>&1 | tee libssh2-test.log + make check 2>&1 | tee libssh2-test-normal.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libssh2 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libssh2 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + # Always continue on errors to ensure we show test results + set +e + + # Run the tests and capture the result + set -o pipefail + make check 2>&1 | tee libssh2-test-ff.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libssh2 diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index b78ea979..268b065a 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -35,7 +35,6 @@ jobs: matrix: tpm2_tss_ref: [ '4.1.3'] openssl_ref: [ 'openssl-3.5.4' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -103,7 +102,7 @@ jobs: working-directory: tpm2_tss_repo run: | source $GITHUB_WORKSPACE/scripts/env-setup - export ${{ matrix.force_fail }} + # --- normal mode --- make check 2>&1 || true if $(grep -q "FAIL: test/unit" test-suite.log); then TEST_RESULT=1 @@ -111,4 +110,15 @@ jobs: else TEST_RESULT=0 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} tpm2-tss + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" tpm2-tss + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + make check 2>&1 || true + if $(grep -q "FAIL: test/unit" test-suite.log); then + TEST_RESULT=1 + echo "Expected zero failures" + else + TEST_RESULT=0 + fi + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" tpm2-tss diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index bc41e7bd..3f320a77 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -133,7 +132,7 @@ jobs: working-directory: libwebsockets shell: bash run: | - export ${{ matrix.force_fail }} + # --- normal mode --- ./build/bin/libwebsockets-test-server --port=11111 --ssl > server.log 2>&1 & SERVER_PID=$! sleep 5 @@ -149,4 +148,23 @@ jobs: else TEST_RESULT=0 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} libwebsockets + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libwebsockets + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + ./build/bin/libwebsockets-test-server --port=11111 --ssl > server.log 2>&1 & SERVER_PID=$! + sleep 5 + timeout 10 ./build/bin/libwebsockets-test-client 127.0.0.1 --port=11111 --ssl > client.log 2>&1 || echo "Client exited with error $?" + ldd ./build/bin/libwebsockets-test-server | grep wolfProvider || echo "wolfProvider not found in server" + ldd ./build/bin/libwebsockets-test-client | grep wolfProvider || echo "wolfProvider not found in client" + kill $SERVER_PID || echo "Server already exited" + cat server.log || echo "Missing server.log" + cat client.log || echo "Missing client.log" + cat server.log client.log > libwebsockets-test.log + if grep -q "error:03080006" libwebsockets-test.log || grep -q "Failed to create default vhost" libwebsockets-test.log; then + TEST_RESULT=1 + else + TEST_RESULT=0 + fi + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libwebsockets diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 90e23223..ee2847cc 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -167,10 +166,19 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make test - export ${{ matrix.force_fail }} + # --- normal mode --- autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version - make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test.log + make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test-normal.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} net-snmp + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" net-snmp + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version + make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test-ff.log + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" net-snmp diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 55594dc2..d9c745c5 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -146,9 +145,17 @@ jobs: - name: Run nginx-tests with wolfProvider working-directory: nginx-tests run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests and save result - TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test.log + TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test-normal.log TEST_RESULT=$? - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} nginx + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" nginx + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests and save result + TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test-ff.log + TEST_RESULT=$? + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" nginx diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index ac05af92..c3668b0e 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -72,8 +72,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -157,22 +157,21 @@ jobs: make -j depend make -j - export ${{ matrix.force_fail }} - if [ -n "${{ matrix.force_fail }}" ]; then - set +e + # --- normal mode --- + make -j check 2>&1 | tee openldap-test-normal.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openldap + + # --- force-fail mode --- + # WPFF breaks on test 067; cap at 15 min and treat timeout as failure. + export WOLFPROV_FORCE_FAIL=1 + set +e + timeout 15m make -j check 2>&1 | tee openldap-test-ff.log + TEST_RESULT=${PIPESTATUS[0]} + set -e + if [ $TEST_RESULT -eq 124 ]; then + echo "make -j check timed out after 15 minutes with WOLFPROV_FORCE_FAIL=1" + echo "Tests failed to complete as expected" + TEST_RESULT=1 fi - - if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ]; then - # Run with a 15 minute timeout for WPFF since it breaks on test 067 - timeout 15m make -j check 2>&1 | tee openldap-test.log - TEST_RESULT=${PIPESTATUS[0]} - if [ $TEST_RESULT -eq 124 ]; then - echo "make -j check timed out after 15 minutes with WOLFPROV_FORCE_FAIL=1" - echo "Tests failed to complete as expected" - TEST_RESULT=1 - fi - else - make -j check 2>&1 | tee openldap-test.log - TEST_RESULT=${PIPESTATUS[0]} - fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openldap + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" openldap diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index a85ea16c..08a01d51 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -163,11 +162,21 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests and save output - make check | tee opensc-test.log + make check | tee opensc-test-normal.log # Check for expected test results in the test log (18 passes, 2 expected failures, with WPFF we expect 6 failures) TEST_RESULT=$(((grep -q "# PASS: 10" opensc-test.log) && (grep -q "# PASS: 8" opensc-test.log) && (grep -q "# XFAIL: 2" opensc-test.log)) && echo "0" || echo "1") - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} opensc + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" opensc + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests and save output + make check | tee opensc-test-ff.log + + # Check for expected test results in the test log (18 passes, 2 expected failures, with WPFF we expect 6 failures) + TEST_RESULT=$(((grep -q "# PASS: 10" opensc-test.log) && (grep -q "# PASS: 8" opensc-test.log) && (grep -q "# XFAIL: 2" opensc-test.log)) && echo "0" || echo "1") + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" opensc diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 5439d831..1ab93d1a 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -83,7 +83,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'non-FIPS' ] # FIPS is not yet supported for OpenSSH - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -165,7 +164,7 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Enable unsafe permissions for testing export TEST_SSH_UNSAFE_PERMISSIONS=1 @@ -199,6 +198,45 @@ jobs: export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution # Run all the tests except (t-exec) as it takes too long - make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log + make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test-normal.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openssh + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openssh + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Enable unsafe permissions for testing + export TEST_SSH_UNSAFE_PERMISSIONS=1 + + # Priv-sep user/group (idempotent) + getent group sshd >/dev/null || addgroup --system sshd + id -u sshd >/dev/null 2>&1 || adduser --system --no-create-home \ + --ingroup sshd --home /nonexistent --shell /usr/sbin/nologin sshd + + # Priv-sep runtime dirs + install -d -m 0755 /run/sshd + + # The required chroot for privilege separation + # Must exist, be owned by root, and not be writable by group/world. + install -d -o root -g root -m 0755 /var/empty + + # Ensure the privsep user/group exist (idempotent) + if ! getent group sshd >/dev/null; then + addgroup --system sshd + fi + if ! id -u sshd >/dev/null 2>&1; then + adduser --system --no-create-home --ingroup sshd \ + --home /nonexistent --shell /usr/sbin/nologin sshd + fi + + autoreconf -ivf + ./configure --with-prngd-socket=/tmp/prngd \ + --with-ldflags=-Wl,--export-dynamic + make -j + + export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution + + # Run all the tests except (t-exec) as it takes too long + make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test-ff.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" openssh diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index da944a5f..385f93ba 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -73,8 +73,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -161,13 +161,16 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} - if [ -n "${{ matrix.force_fail }}" ]; then - set +e - fi - - # Run tests and save result - make check 2>&1 | tee openvpn-test.log - # Capture the test result using PIPESTATUS (Bash only) + + # --- normal mode --- + make check 2>&1 | tee openvpn-test-normal.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openvpn + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + set +e + make check 2>&1 | tee openvpn-test-ff.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openvpn + set -e + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" openvpn diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index bae3debe..7b9ed833 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -133,7 +132,7 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- export PAM_PKCS11_REF=${{ matrix.pam_pkcs11_ref }} # Run tests @@ -146,4 +145,20 @@ jobs: echo "TEST_RESULT: $TEST_RESULT" # Capture result - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} pam_pkcs11 + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" pam_pkcs11 + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + export PAM_PKCS11_REF=${{ matrix.pam_pkcs11_ref }} + + # Run tests + if timeout 300 $GITHUB_WORKSPACE/.github/scripts/pam-pkcs11-test.sh; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + + echo "TEST_RESULT: $TEST_RESULT" + + # Capture result + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" pam_pkcs11 diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 7b5f0061..e718cb7b 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -164,10 +163,10 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests - make check 2>&1 | tee ppp-test.log + make check 2>&1 | tee ppp-test-normal.log # Check test results directly in YAML if grep -q "# FAIL: 0" pppd/test-suite.log; then @@ -176,4 +175,19 @@ jobs: TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} ppp + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" ppp + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests + make check 2>&1 | tee ppp-test-ff.log + + # Check test results directly in YAML + if grep -q "# FAIL: 0" pppd/test-suite.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" ppp diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index b2a185ec..aeae940e 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -76,7 +76,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] steps: - name: Checkout wolfProvider @@ -147,13 +146,25 @@ jobs: - name: Run python3-ntp tests working-directory: ntpsec run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests - ./waf check | tee python3-ntp-test.log + ./waf check | tee python3-ntp-test-normal.log if grep -q "'check' finished successfully" python3-ntp-test.log; then TEST_RESULT=0 else TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} python3-ntp + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" python3-ntp + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests + ./waf check | tee python3-ntp-test-ff.log + if grep -q "'check' finished successfully" python3-ntp-test.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" python3-ntp diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 311fe3eb..fdd15a87 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -68,7 +68,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -160,10 +159,10 @@ jobs: shell: bash run: | set +e - export ${{ matrix.force_fail }} + # --- normal mode --- # Run the QSSLSocket test, the make check takes too long - QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test.log + QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test-normal.log # Check test results based on qt_ref if grep -q "521 passed" qsslsocket-test.log; then @@ -174,4 +173,21 @@ jobs: echo "Tests failed unexpectedly for 'v5.15.8-lts-lgpl' branch." fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} qtbase-qsslsocket + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" qtbase-qsslsocket + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run the QSSLSocket test, the make check takes too long + QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test-ff.log + + # Check test results based on qt_ref + if grep -q "521 passed" qsslsocket-test.log; then + TEST_RESULT=0 + echo "SUCCESS: Found 521 passed tests as expected" + else + TEST_RESULT=1 + echo "Tests failed unexpectedly for 'v5.15.8-lts-lgpl' branch." + fi + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" qtbase-qsslsocket diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 3502e0ea..7f79c1aa 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] steps: - name: Checkout wolfProvider @@ -141,10 +140,10 @@ jobs: - name: Run rsync tests working-directory: rsync_repo run: | - export ${{ matrix.force_fail }} + # --- normal mode --- # Run rsync test suite including our SHA test - make check 2>&1 | tee rsync-test.log + make check 2>&1 | tee rsync-test-normal.log # Check test results - look for "0 failed" in the output if grep -q "overall result is 0" rsync-test.log; then @@ -153,4 +152,19 @@ jobs: TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} rsync + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" rsync + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run rsync test suite including our SHA test + make check 2>&1 | tee rsync-test-ff.log + + # Check test results - look for "0 failed" in the output + if grep -q "overall result is 0" rsync-test.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" rsync diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 9f510694..56b86f94 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -74,7 +74,6 @@ jobs: openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -161,10 +160,16 @@ jobs: # Show socat version (includes OpenSSL version info) ./socat -V - export ${{ matrix.force_fail }} - set +e - # Run the tests with expected failures - SOCAT=$GITHUB_WORKSPACE/${{ matrix.socat_ref }}/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,408,409,410,416,417,418,451,452,453,459,460,467,468,475,476,477,478,491,492,526,527,528,529,530 + EXPECTED_FAILS=36,64,146,214,216,217,309,310,386,399,402,403,408,409,410,416,417,418,451,452,453,459,460,467,468,475,476,477,478,491,492,526,527,528,529,530 + + # --- normal mode --- + SOCAT=$GITHUB_WORKSPACE/${{ matrix.socat_ref }}/socat ./test.sh -t 0.5 --expect-fail $EXPECTED_FAILS + TEST_RESULT=$? + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" socat + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + SOCAT=$GITHUB_WORKSPACE/${{ matrix.socat_ref }}/socat ./test.sh -t 0.5 --expect-fail $EXPECTED_FAILS TEST_RESULT=$? - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} socat + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" socat diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 8d737eb6..27c498a2 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -75,8 +75,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step steps: - name: Checkout wolfProvider @@ -139,7 +139,13 @@ jobs: - name: Run sscep tests run: | - export ${{ matrix.force_fail }} - export WOLFPROV_FORCE_FAIL_STR="${{ matrix.force_fail }}" + cd sscep - cd sscep && $GITHUB_WORKSPACE/.github/scripts/test_sscep.sh + # --- normal mode --- + WOLFPROV_FORCE_FAIL_STR="" \ + $GITHUB_WORKSPACE/.github/scripts/test_sscep.sh + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + WOLFPROV_FORCE_FAIL_STR="WOLFPROV_FORCE_FAIL=1" \ + $GITHUB_WORKSPACE/.github/scripts/test_sscep.sh diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 05c99340..a7ea692f 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -39,7 +39,6 @@ jobs: sssd_ref: [ '2.9.1' ] wolfssl_ref: [ 'master', 'v5.8.0-stable' ] openssl_ref: [ 'openssl-3.5.0' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] exclude: - sssd_ref: 'master' force_fail: 'WOLFPROV_FORCE_FAIL=1' @@ -96,22 +95,24 @@ jobs: working-directory: sssd shell: bash run: | - # Set environment variables + # Set environment variables (shared across both modes) export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64 export OPENSSL_CONF=$GITHUB_WORKSPACE/provider.conf export OPENSSL_MODULES=$GITHUB_WORKSPACE/wolfprov-install/lib - export ${{ matrix.force_fail }} echo "Checking OpenSSL providers:" $GITHUB_WORKSPACE/openssl-install/bin/openssl list -providers | tee provider-list.log grep -q libwolfprov provider-list.log || (echo "ERROR: libwolfprov not found in OpenSSL providers" && exit 1) - # If force fail is enabled dont exit with error - if [ "${{ matrix.force_fail }}" == "WOLFPROV_FORCE_FAIL=1" ]; then - set +e - fi + # --- normal mode --- + make check 2>&1 | tee sssd-test-normal.log + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" sssd - # Run tests and save result - make check 2>&1 | tee sssd-test.log + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + set +e + make check 2>&1 | tee sssd-test-ff.log TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} sssd + set -e + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" sssd diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 8e6dbf16..db598117 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -165,7 +164,7 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # enter venv source myenv/bin/activate @@ -188,4 +187,30 @@ jobs: TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1) echo "Test result: $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} stunnel + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" stunnel + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # enter venv + source myenv/bin/activate + + # Set this variable to prevent attempts to load the legacy OpenSSL + # provider, which we don't support. + # This is necessary for OpenSSL 3.0+ to avoid errors related to legacy + # algorithms that are not supported by wolfProvider. + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + # Verify stunnel + ./src/stunnel -version + + # Run tests + # Results captured in tests/logs/results.log + # Use `timeout` since the tests hang with WOLFPROV_FORCE_FAIL=1 + timeout 10 make check 2>&1 || true + + # grep for "failed: 0" in the results log, indicating success + TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1) + echo "Test result: $TEST_RESULT" + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" stunnel diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index b56e8e7d..aaf769aa 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -75,7 +75,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] steps: - name: Checkout wolfProvider @@ -151,11 +150,21 @@ jobs: test-dns-packet test-dnssec test-resolve-tables \ test-resolved-etc-hosts test-resolved-packet \ test-resolved-stream" - export ${{ matrix.force_fail }} + # --- normal mode --- meson test -C build $TEST_CASES TEST_RESULT=$? if [ $TEST_RESULT -ne 0 ]; then cat build/meson-logs/testlog.txt fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} systemd + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" systemd + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + meson test -C build $TEST_CASES + TEST_RESULT=$? + if [ $TEST_RESULT -ne 0 ]; then + cat build/meson-logs/testlog.txt + fi + + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" systemd diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 948bb522..9ffba2e1 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -69,7 +69,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -158,10 +157,19 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Run tests - make check 2>&1 | tee tcpdump-test.log + make check 2>&1 | tee tcpdump-test-normal.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} tcpdump + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" tcpdump + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run tests + make check 2>&1 | tee tcpdump-test-ff.log + # Capture the test result using PIPESTATUS (Bash only) + TEST_RESULT=${PIPESTATUS[0]} + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" tcpdump diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 7d143a79..c4c1f1d2 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: ['WOLFPROV_FORCE_FAIL=1', ''] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -140,7 +139,7 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Configure with OpenSSL ./configure @@ -169,8 +168,44 @@ jobs: echo "Testing SSL/TLS connection..." timeout 15 ./src/tnftp -n https://httpbin.org/get 2>&1 echo "SSL/TLS test completed" - } 2>&1 | tee tnftp-test.log + } 2>&1 | tee tnftp-test-normal.log # Capture result and check for expected failure TEST_RESULT=$(grep -q "SSL context creation failed" tnftp-test.log && echo "1" || echo "0") - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} tnftp + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" tnftp + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Configure with OpenSSL + ./configure + + # Build tnftp + make -j + + # Run all tests and capture output + { + echo "Testing tnftp basic functionality..." + + # Test help command + if ./src/tnftp -? 2>&1 | grep -q "usage:"; then + echo "tnftp help command works" + else + echo "tnftp help command failed" + exit 1 + fi + + # Test that tnftp can start (even if it fails to connect) + echo "Testing tnftp connection attempt..." + timeout 10 ./src/tnftp -n 192.0.2.1 2>&1 | head -10 + echo "tnftp can attempt connections" + + # Test SSL/TLS functionality + echo "Testing SSL/TLS connection..." + timeout 15 ./src/tnftp -n https://httpbin.org/get 2>&1 + echo "SSL/TLS test completed" + } 2>&1 | tee tnftp-test-ff.log + + # Capture result and check for expected failure + TEST_RESULT=$(grep -q "SSL context creation failed" tnftp-test.log && echo "1" || echo "0") + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" tnftp diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 2cc9e669..c0ffff69 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -72,7 +72,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -144,7 +143,7 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} + # --- normal mode --- # Run only unit tests and integration tests that dont need TPM2 hardware/simulator make check TESTS="test/unit/test_string_bytes test/unit/test_files \ @@ -154,8 +153,25 @@ jobs: test/unit/test_options test/unit/test_cc_util test/unit/test_tpm2_eventlog \ test/unit/test_tpm2_eventlog_yaml test/unit/test_object \ test/integration/tests/X509certutil test/integration/tests/toggle_options \ - test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test.log + test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test-normal.log # Capture result - Fails test/unit/test_tpm2_policy and test/unit/test_tpm2_eventlog with WPFF TEST_RESULT=$(grep -q "# PASS: 20" tpm2-tools-test.log && echo "0" || echo "1") - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} tpm2-tools + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" tpm2-tools + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + + # Run only unit tests and integration tests that dont need TPM2 hardware/simulator + make check TESTS="test/unit/test_string_bytes test/unit/test_files \ + test/unit/test_tpm2_header test/unit/test_tpm2_attr_util test/unit/test_tpm2_alg_util \ + test/unit/test_pcr test/unit/test_tpm2_auth_util test/unit/test_tpm2_errata \ + test/unit/test_tpm2_session test/unit/test_tpm2_policy test/unit/test_tpm2_util \ + test/unit/test_options test/unit/test_cc_util test/unit/test_tpm2_eventlog \ + test/unit/test_tpm2_eventlog_yaml test/unit/test_object \ + test/integration/tests/X509certutil test/integration/tests/toggle_options \ + test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test-ff.log + + # Capture result - Fails test/unit/test_tpm2_policy and test/unit/test_tpm2_eventlog with WPFF + TEST_RESULT=$(grep -q "# PASS: 20" tpm2-tools-test.log && echo "0" || echo "1") + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" tpm2-tools diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index e0e051a0..7b6adfbd 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -71,7 +71,6 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -159,19 +158,36 @@ jobs: - name: Run x11vnc tests shell: bash run: | - export ${{ matrix.force_fail }} - export WOLFPROV_FORCE_FAIL_STR="${{ matrix.force_fail }}" - export X11VNC_TEST_LOG=/tmp/x11vnc-test.log export X11VNC_TEST_STATUS=0 - if ! $GITHUB_WORKSPACE/.github/scripts/x11vnc/test_x11vnc.sh $X11VNC_TEST_LOG; then + + run_round() { + local mode_label="$1" + local ff_arg="$2" + local log="/tmp/x11vnc-test-${mode_label}.log" + local status=0 + if ! $GITHUB_WORKSPACE/.github/scripts/x11vnc/test_x11vnc.sh "$log"; then + status=1 + fi + if $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh "$status" "$ff_arg" x11vnc; then + return 0 + fi + return 1 + } + + # --- normal mode --- + if ! run_round normal ""; then X11VNC_TEST_STATUS=1 fi - - if $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $X11VNC_TEST_STATUS "$WOLFPROV_FORCE_FAIL_STR" x11vnc; then - X11VNC_TEST_STATUS=0 - else + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + if ! run_round ff "WOLFPROV_FORCE_FAIL=1"; then X11VNC_TEST_STATUS=1 fi + unset WOLFPROV_FORCE_FAIL + + # Surface the most recent log via the existing follow-up step + export X11VNC_TEST_LOG=/tmp/x11vnc-test-ff.log - name: Show x11vnc test log on failure run: | diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 2db0a57d..048da6ea 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -45,8 +45,8 @@ jobs: wolfssl_ref: [ 'v5.8.4-stable' ] openssl_ref: [ 'openssl-3.5.4' ] fips_ref: [ 'FIPS', 'non-FIPS' ] - force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] replace_default: [ true ] + # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -135,12 +135,24 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - export ${{ matrix.force_fail }} - make check-keys | tee xmlsec-keys.log - make check-enc | tee xmlsec-enc.log - if grep -q "TOTAL FAILED: 0" xmlsec-enc.log && grep -q "TOTAL FAILED: 0" xmlsec-keys.log; then + + # --- normal mode --- + make check-keys | tee xmlsec-keys-normal.log + make check-enc | tee xmlsec-enc-normal.log + if grep -q "TOTAL FAILED: 0" xmlsec-enc-normal.log && grep -q "TOTAL FAILED: 0" xmlsec-keys-normal.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" xmlsec + + # --- force-fail mode --- + export WOLFPROV_FORCE_FAIL=1 + make check-keys | tee xmlsec-keys-ff.log + make check-enc | tee xmlsec-enc-ff.log + if grep -q "TOTAL FAILED: 0" xmlsec-enc-ff.log && grep -q "TOTAL FAILED: 0" xmlsec-keys-ff.log; then TEST_RESULT=0 else TEST_RESULT=1 fi - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} xmlsec + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" xmlsec From b16c654d200a8091f37936ed7905414c8bb6270b Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 12:17:03 -0700 Subject: [PATCH 09/26] ci: bake test deps into ghcr.io/wolfssl/wolfprovider-test-deps (Phase C) Eliminate per-job apt-get update / apt-get install across every Debian-container PR workflow. The Debian mirror flake class is gone: zero apt-get update calls during a normal PR run. New: docker/wolfprovider-test-deps/Dockerfile Single Debian-bookworm image with every build dep, test fixture binary, perl/python module, and X11/netlink/TPM/PCSC dev header any workflow installs at job time today. Built once, cached across jobs. New: .github/workflows/publish-test-deps-image.yml Builds and pushes the image to ghcr.io on push to master when the Dockerfile changes, or via workflow_dispatch. Forks just build to verify (no push). Tagged :bookworm and :bookworm-. Migrated 39 workflows to image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec. libtss2.yml moved from bare ubuntu-22.04 into the container, with its libssl-dev removal preserved (configure needs to pick up only the in-tree openssl headers built by scripts/build-wolfprovider.sh). Removed redundant steps in those workflows -- the dep installs they performed are now baked into the image. Kept: - apt install of the wolfssl/openssl/wolfprov .debs that arrive from build-wolfprovider artifacts; - apt-mark hold of the wolfprov-patched libssl3 chain; - debian-package.yml's apt-get remove --purge libwolfprov lifecycle check; - hostap.yml's apt-get remove python3-cryptography + pip install cryptography (test scripts require the pip wheel, not the apt one). Not migrated: - build-wolfprovider.yml: keeps the existing wolfssl-built ghcr.io/wolfssl/build-wolfprovider-debian:bookworm. It is the .deb-producer container, separate concern. - sssd.yml: keeps quay.io/sssd/ci-client-devel; the SSSD CI image bundles upstream test fixtures we cannot easily replicate here. - multi-compiler.yml: bare runner intentionally; the matrix installs gcc-9..13 and clang-13..17 to exercise compiler compat, and baking those into the image would balloon it. - static-analysis.yml: schedule-only, leaving as bare runner. --- .github/workflows/bind9.yml | 12 +-- .github/workflows/cjose.yml | 8 +- .github/workflows/curl.yml | 8 +- .github/workflows/debian-package.yml | 9 +- .github/workflows/git-ssh-dr.yml | 9 +- .github/workflows/grpc.yml | 8 +- .github/workflows/hostap.yml | 12 +-- .github/workflows/iperf.yml | 8 +- .github/workflows/krb5.yml | 11 +-- .github/workflows/libcryptsetup.yml | 10 +- .github/workflows/libeac3.yml | 8 +- .github/workflows/libfido2.yml | 8 +- .github/workflows/libhashkit2.yml | 7 +- .github/workflows/libnice.yml | 2 +- .github/workflows/liboauth2.yml | 9 +- .github/workflows/librelp.yml | 9 +- .github/workflows/libssh2.yml | 10 +- .github/workflows/libtss2.yml | 24 ++--- .github/workflows/libwebsockets.yml | 7 +- .github/workflows/net-snmp.yml | 8 +- .github/workflows/nginx.yml | 9 +- .github/workflows/openldap.yml | 10 +- .github/workflows/opensc.yml | 11 +-- .github/workflows/openssh.yml | 8 +- .github/workflows/openvpn.yml | 13 +-- .github/workflows/pam-pkcs11.yml | 13 +-- .github/workflows/ppp.yml | 7 +- .github/workflows/publish-test-deps-image.yml | 57 +++++++++++ .github/workflows/python3-ntp.yml | 8 +- .github/workflows/qt5network5.yml | 9 +- .github/workflows/rsync.yml | 9 +- .github/workflows/socat.yml | 10 +- .github/workflows/sscep.yml | 7 +- .github/workflows/stunnel.yml | 9 +- .github/workflows/systemd.yml | 15 +-- .github/workflows/tcpdump.yml | 8 +- .github/workflows/tnftp.yml | 8 +- .github/workflows/tpm2-tools.yml | 10 +- .github/workflows/x11vnc.yml | 19 +--- .github/workflows/xmlsec.yml | 9 +- docker/wolfprovider-test-deps/Dockerfile | 97 +++++++++++++++++++ 41 files changed, 206 insertions(+), 327 deletions(-) create mode 100644 .github/workflows/publish-test-deps-image.yml create mode 100644 docker/wolfprovider-test-deps/Dockerfile diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index a3c009b9..d22e9b2a 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,16 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install bind9 test dependencies - run: | - apt-get update - apt install -y build-essential automake libtool gnutls-bin \ - pkg-config make libidn2-dev libuv1-dev libnghttp2-dev libcap-dev \ - libjemalloc-dev zlib1g-dev libxml2-dev libjson-c-dev libcmocka-dev \ - python3-pytest python3-dnspython python3-hypothesis patch iproute2 \ - net-tools git - PERL_MM_USE_DEFAULT=1 cpan -i Net::DNS - - name: Checkout bind9 uses: actions/checkout@v4 with: diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 0ef0db65..38b3f142 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -80,12 +80,6 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages steps: - - name: Install cjose dependencies - run: | - apt-get update - apt-get install -y git build-essential autoconf automake \ - libtool pkg-config libjansson-dev check ca-certificates dpkg-dev - - name: Checkout wolfProvider uses: actions/checkout@v4 with: diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 8ae147f0..f0a287fd 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -115,12 +115,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y nghttp2 libpsl5 libpsl-dev python3-impacket \ - build-essential autoconf automake libtool - - name: Build curl uses: wolfSSL/actions-build-autotools-project@v1 with: diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 71b2be2d..b8d5461e 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -62,7 +62,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -100,12 +100,9 @@ jobs: ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \ ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \ ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb - else - # Install standard OpenSSL packages - apt-get update - apt-get install -y \ - openssl libssl3 libssl-dev fi + # Standalone mode uses the stock openssl/libssl3/libssl-dev that + # ship in the wolfprovider-test-deps container -- no install needed. - name: Install wolfSSL and wolfProvider packages run: | diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index d2d38c2f..63e787dc 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -57,7 +57,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive needs: build_wolfprovider @@ -116,13 +116,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Set up environment - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y openssh-client openssh-server expect xxd git \ - net-tools git-all - - name: Run git + replace default + ssh test shell: bash run: | diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 5b848ea4..cd7f8643 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -121,12 +121,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install prerequisites - run: | - apt-get update - apt-get install -y build-essential autoconf libtool pkg-config clang \ - libc++-dev iproute2 net-tools git python3-six - - name: Confirm IPv4 and IPv6 support run: | ip addr list lo | grep 'inet ' diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 613bb81d..b7723cd9 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm with privileged access for UML container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --privileged --cap-add=ALL -v /dev:/dev env: DEBIAN_FRONTEND: noninteractive @@ -128,15 +128,9 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install hostap dependencies + - name: Install hostap-specific Python crypto module run: | - apt-get update - apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \ - libnl-3-dev binutils-dev libiberty-dev libnl-genl-3-dev libnl-route-3-dev \ - libdbus-1-dev bridge-utils tshark python3-pycryptodome libsqlite3-dev \ - libzstd1 wireless-tools iw build-essential autoconf automake libtool \ - pkg-config git wget ca-certificates flex bison bc libxml2-dev zlib1g-dev \ - python3-pip psmisc iproute2 procps net-tools systemd kmod wireless-regdb + # hostap test scripts need pip's cryptography, not the apt one. apt-get remove -y python3-cryptography 2>/dev/null || true pip install --no-cache-dir --force-reinstall --break-system-packages cryptography diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 27f0bc14..88a06f06 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,12 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y build-essential autoconf libtool pkg-config clang \ - libc++-dev - - name: Checkout iperf uses: actions/checkout@v4 with: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 670cbe6a..5dfd2b07 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,15 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install KRB5 dependencies - run: | - apt-get update - apt-get install -y \ - build-essential autoconf automake libtool \ - bison flex libldap2-dev libkeyutils-dev \ - libverto-dev libcom-err2 comerr-dev \ - libss2 ss-dev - - name: Checkout KRB5 uses: actions/checkout@v4 with: diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 96b8aced..477a53ac 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -114,14 +114,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y \ - build-essential autoconf asciidoctor gettext autopoint libtool \ - pkg-config uuid-dev libdevmapper-dev libpopt-dev libjson-c-dev \ - libargon2-dev libblkid-dev bsdextrautils kmod util-linux cryptsetup-bin - - name: Checkout cryptsetup uses: actions/checkout@v4 with: diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index fc61b781..730c6092 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -115,12 +115,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install libeac3 dependencies - run: | - apt-get update - apt-get install -y autoconf automake libtool libc6 help2man gengetopt \ - pkg-config m4 patch autoconf automake libtool pkg-config build-essential - - name: Checkout openpace uses: actions/checkout@v4 with: diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 2d55de06..3e0f7fa9 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -56,7 +56,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -108,12 +108,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install test dependencies - run: | - apt-get update - apt-get install -y build-essential cmake pkg-config libudev-dev \ - zlib1g-dev libcbor-dev libpcsclite-dev pcscd - - name: Checkout libfido2 uses: actions/checkout@v4 with: diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index e3514ab1..657df4f8 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,11 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install libmemcached dependencies - run: | - apt-get update - apt-get install -y cmake build-essential bison flex memcached libc6 - - name: Download libmemcached uses: actions/checkout@v4 with: diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index 0749e743..9e3027d2 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index 54a5b8ed..a3544276 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 @@ -112,13 +112,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install liboauth2 dependencies - run: | - apt-get update - apt-get install -y libcurl4-openssl-dev libjansson-dev \ - libcjose-dev pkg-config build-essential apache2-dev libhiredis-dev \ - libmemcached-dev autotools-dev autoconf automake libtool check patch - - name: Checkout OSP uses: actions/checkout@v4 with: diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index 86b9fede..b4df8f13 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -81,13 +81,6 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages steps: - - name: Install dependencies - run: | - apt-get update - apt-get install -y git build-essential autoconf automake \ - libtool pkg-config libgnutls28-dev net-tools iproute2 python3 \ - valgrind libtool-bin - - name: Checkout wolfProvider uses: actions/checkout@v4 with: diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 33062984..17629dfb 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 @@ -112,14 +112,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y git sudo build-essential autoconf automake \ - libtool pkg-config libjansson-dev check ca-certificates dpkg-dev \ - clang libc++-dev python3-impacket openssh-client openssh-server - - name: Download libssh2 uses: actions/checkout@v4 with: diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 268b065a..92265630 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -29,6 +29,10 @@ jobs: needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 + container: + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + env: + DEBIAN_FRONTEND: noninteractive timeout-minutes: 30 strategy: fail-fast: false @@ -41,22 +45,14 @@ jobs: OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages steps: - - name: Install test dependencies - run: | - sudo apt-get update - sudo apt-get install -y pkg-config libcunit1-dev autoconf-archive \ - gettext libcmocka-dev build-essential autoconf automake libtool \ - libjson-c-dev libcurl4-openssl-dev acl libusb-1.0-0-dev git \ - pkg-config uuid-dev - - # ensure libssl-dev is not installed - - name: Ensure libssl-dev is not installed + # tpm2-tss configure picks up the stock /usr/include/openssl/* + # otherwise, which conflicts with the wolfssl-built openssl this + # workflow links against. Remove libssl-dev from the container so + # configure finds only the in-tree headers. + - name: Remove stock libssl-dev run: | if dpkg -l | grep -q libssl-dev; then - echo "libssl-dev is installed, removing it to avoid conflicts" - sudo apt-get remove -y libssl-dev - else - echo "libssl-dev is not installed, no action needed" + apt-get remove -y libssl-dev fi - name: Checkout wolfProvider diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 3f320a77..1fc47c72 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -84,11 +84,6 @@ jobs: with: fetch-depth: 1 - - name: Install libwebsockets dependencies - run: | - apt-get update - apt-get install -y libc6 libcap2 zlib1g cmake build-essential dpkg-dev - - name: Download packages from build job uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index ee2847cc..22a7357a 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,12 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y libperl-dev build-essential autoconf \ - libtool pkg-config gettext net-tools - - name: Checkout net-snmp uses: actions/checkout@v4 with: diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index d9c745c5..60f0c4e9 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,13 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update && \ - apt-get install -y perl build-essential autoconf automake libtool \ - pkg-config libpcre3-dev zlib1g-dev - cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL - - name: Checkout nginx uses: actions/checkout@v4 with: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index c3668b0e..9c384a6d 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -114,14 +114,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y git sudo build-essential autoconf automake \ - libtool pkg-config libjansson-dev check ca-certificates dpkg-dev \ - groff libsasl2-dev - - name: Checkout openldap uses: actions/checkout@v4 with: diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 08a01d51..52b1cad9 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,15 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install OpenSC dependencies - run: | - apt-get update - apt-get install -y \ - autotools-dev libtool automake autoconf make pkg-config \ - libeac-dev gengetopt libpcsclite-dev libreadline-dev \ - zlib1g-dev docbook-xsl xsltproc pcscd softhsm2 opensc pcsc-tools \ - vim libcmocka-dev libjson-c-dev libp11-dev patch - - name: Download OpenSC uses: actions/checkout@v4 with: diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 1ab93d1a..f5f34bd2 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm # Extra permissions needed for Debian Bookworm options: >- --privileged @@ -124,12 +124,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y build-essential autoconf automake libtool \ - pkg-config patch zlib1g-dev kmod util-linux cryptsetup-bin - - name: Ensure kernel modules are present run: | # loop + device-mapper (dm-crypt); scsi_debug is optional and may still be unavailable on the host kernel diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 385f93ba..69fe3d04 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive strategy: @@ -116,17 +116,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Set up environment - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y git sudo build-essential autoconf automake \ - libtool pkg-config libjansson-dev check ca-certificates dpkg-dev \ - liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev \ - linux-libc-dev man2html libcmocka-dev python3-docutils \ - iproute2 libtool automake autoconf libnl-genl-3-dev \ - libnl-genl-3-200 - - name: Find ossl headers run: | find / -name ssl.h 2>/dev/null || true diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 7b9ed833..1d575887 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -83,12 +83,6 @@ jobs: with: fetch-depth: 1 - - name: Install git and basic dependencies - run: | - apt-get update - apt-get install -y git - - # Avoid "detected dubious ownership" warning - name: Ensure the working directory safe run: | git config --global --add safe.directory "$GITHUB_WORKSPACE" @@ -123,11 +117,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install test dependencies - run: | - apt-get update - apt-get install -y pkg-config build-essential autoconf automake libtool - - name: Run pam_pkcs11 tests shell: bash run: | diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index e718cb7b..d4698e19 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -58,7 +58,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -115,11 +115,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y build-essential autoconf libtool patch - - name: Checkout PPP uses: actions/checkout@v4 with: diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml new file mode 100644 index 00000000..7f15612c --- /dev/null +++ b/.github/workflows/publish-test-deps-image.yml @@ -0,0 +1,57 @@ +name: Publish test-deps image + +# Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to +# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm. +# +# Fires when the Dockerfile changes on master, or manually via +# workflow_dispatch. The pushed image is what every Debian-container +# PR workflow consumes (see e.g. bind9.yml's `container:` block). + +on: + push: + branches: [ 'master', 'main' ] + paths: + - 'docker/wolfprovider-test-deps/**' + - '.github/workflows/publish-test-deps-image.yml' + workflow_dispatch: {} + +concurrency: + group: publish-test-deps-image + cancel-in-progress: false + +permissions: + contents: read + packages: write + +jobs: + publish: + runs-on: ubuntu-22.04 + timeout-minutes: 45 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to ghcr.io + if: github.repository == 'wolfSSL/wolfProvider' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: docker/wolfprovider-test-deps + file: docker/wolfprovider-test-deps/Dockerfile + # Only push from the canonical repo; forks just verify it builds. + push: ${{ github.repository == 'wolfSSL/wolfProvider' }} + tags: | + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }} + cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + cache-to: type=inline diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index aeae940e..5ea6931e 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive @@ -113,12 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install python3-ntp dependencies - run: | - apt-get update - apt-get install -y build-essential bison libcap-dev libseccomp-dev \ - libavahi-compat-libdnssd-dev pps-tools python-dev-is-python3 - - name: Checkout python3-ntp uses: actions/checkout@v4 with: diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index fdd15a87..d98da1a7 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 40 @@ -109,13 +109,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install Qt dependencies - run: | - apt-get update - apt-get install -y build-essential pkg-config dpkg-dev \ - python3 perl libpcre2-dev zlib1g-dev cmake ninja-build \ - bison flex libpng-dev libjpeg-dev git ca-certificates - - name: Checkout OSP uses: actions/checkout@v4 with: diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 7f79c1aa..23d578d2 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -58,7 +58,7 @@ jobs: needs: build_wolfprovider timeout-minutes: 15 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive @@ -109,13 +109,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install rsync dependencies - run: | - apt-get update - apt-get install -y gcc g++ gawk autoconf automake python3-cmarkgfm \ - acl libacl1-dev attr libattr1-dev libxxhash-dev \ - libzstd-dev liblz4-dev build-essential - - name: Checkout rsync uses: actions/checkout@v4 with: diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 56b86f94..5016ee92 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider continue-on-error: true container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -114,14 +114,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y git sudo build-essential autoconf automake \ - libtool pkg-config libjansson-dev check ca-certificates dpkg-dev \ - clang libc++-dev curl net-tools netcat-openbsd procps - - name: Download socat run: curl -O http://www.dest-unreach.org/socat/download/${{ matrix.socat_ref }}.tar.gz && tar xvf ${{ matrix.socat_ref }}.tar.gz diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 27c498a2..30354e88 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider timeout-minutes: 10 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive @@ -114,11 +114,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install sscep dependencies - run: | - apt-get update - apt-get install -y scep psmisc build-essential autoconf libtool pkg-config - - name: Download sscep uses: actions/checkout@v4 with: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index db598117..57e97a8b 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,13 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y build-essential autoconf automake \ - autoconf-archive libtool libwrap0-dev pkg-config python3-venv \ - python3-cryptography patch git - - name: Check Python version run: python3 --version diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index aaf769aa..d22b3a6f 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages @@ -112,19 +112,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - export DEBIAN_FRONTEND=noninteractive - apt-get update - apt-get install -y build-essential meson ninja-build \ - libmount-dev gperf python3-pytest python3-jinja2 python3-pip \ - libuv1-dev libnghttp2-dev libcap-dev uuid-dev libdevmapper-dev \ - libpopt-dev libjson-c-dev libargon2-dev libblkid-dev asciidoctor \ - pkgconf zlib1g-dev libgcrypt20-dev libgpg-error-dev libgnutls28-dev \ - libp11-kit-dev libfido2-dev libtss2-dev libdw-dev libbz2-dev \ - liblzma-dev liblz4-dev libzstd-dev libxkbcommon-dev libglib2.0-dev \ - libdbus-1-dev python3-setuptools python3-wheel git - - name: Checkout systemd uses: actions/checkout@v4 with: diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 9ffba2e1..1fd631ed 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -58,7 +58,7 @@ jobs: needs: build_wolfprovider continue-on-error: true container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -110,12 +110,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install test dependencies - run: | - apt-get update - apt-get install -y build-essential flex bison autoconf libtool\ - libpcap-dev - - name: Checkout tcpdump uses: actions/checkout@v4 with: diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index c4c1f1d2..9ce1b68b 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,12 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install dependencies - run: | - apt-get update - apt-get install -y build-essential autoconf libtool pkg-config \ - vsftpd wget libncurses5-dev libncursesw5-dev - - name: Download and extract tnftp run: | # Fetch from the Debian source archive rather than ftp.netbsd.org diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index c0ffff69..8a0ee59d 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -113,14 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install tpm2-tools test dependencies - run: | - apt-get update - apt-get install -y git build-essential expect vim dbus vim-common \ - autoconf-archive python3 python3-yaml python3-pip libefivar-dev \ - libcmocka-dev automake libtool pkg-config build-essential pandoc \ - libtss2-dev tpm2-abrmd swtpm tpm2-tools iproute2 libcurl4-openssl-dev - - name: Download tpm2-tools uses: actions/checkout@v4 with: diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 7b6adfbd..f00083f8 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 10 @@ -113,23 +113,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install x11vnc dependencies - run: | - apt-get update - - # common build dependencies - apt-get install -y build-essential autoconf automake libtool \ - pkg-config gcc make ca-certificates - - # x11vnc dependencies - apt-get install -y libc6-dev libjpeg-dev x11proto-core-dev \ - libxss-dev zlib1g-dev libavahi-client-dev libvncserver-dev \ - libx11-dev libxdamage-dev libxext-dev libxfixes-dev libxi-dev \ - libxinerama-dev libxrandr-dev libxtst-dev - - # packages for testing script - apt-get install -y xvfb tigervnc-viewer psmisc expect curl - - name: Download x11vnc uses: actions/checkout@v4 with: diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 048da6ea..e541f1d8 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -33,7 +33,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: debian:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -87,13 +87,6 @@ jobs: ${{ matrix.replace_default && '--replace-default' || '' }} \ ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} - - name: Install xmlsec dependencies - run: | - apt-get update - apt-get install -y automake autoconf libtool libtool-bin \ - libltdl-dev libltdl7 libxml2-dev patch build-essential \ - pkg-config libxml2-dev - - name: Download xmlsec uses: actions/checkout@v4 with: diff --git a/docker/wolfprovider-test-deps/Dockerfile b/docker/wolfprovider-test-deps/Dockerfile new file mode 100644 index 00000000..61ffab04 --- /dev/null +++ b/docker/wolfprovider-test-deps/Dockerfile @@ -0,0 +1,97 @@ +# wolfProvider test-deps container. +# +# Bakes in the union of apt packages every PR workflow used to install at +# job time. Goal: zero `apt-get update` calls during PR CI. Built and +# pushed to ghcr.io/wolfssl/wolfprovider-test-deps:bookworm by the +# publish-test-deps-image.yml workflow. + +FROM debian:bookworm-slim + +ENV DEBIAN_FRONTEND=noninteractive +ENV PERL_MM_USE_DEFAULT=1 + +# One apt-get update + one apt-get install. Anything you add here ships +# in the image; do not add per-workflow installs. +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + # core build toolchain + build-essential gcc g++ make m4 gettext \ + autoconf automake autoconf-archive autopoint autotools-dev \ + libtool libtool-bin pkg-config pkgconf \ + cmake meson ninja-build bison flex gperf gengetopt help2man \ + clang clang-tools cppcheck libc++-dev \ + # vcs, transport, compression, scripting + git git-all curl wget ca-certificates patch xxd dpkg-dev \ + gawk perl python3 python3-pip python3-venv python3-wheel \ + python3-setuptools python3-yaml python3-jinja2 python3-six \ + python3-pytest python3-dnspython python3-hypothesis \ + python3-impacket python3-cryptography python3-pycryptodome \ + python3-cmarkgfm python3-docutils python-dev-is-python3 \ + cpanminus \ + # editors, debug, system bits + valgrind vim vim-common groff sudo procps psmisc bc less \ + bsdextrautils util-linux kmod systemd cryptsetup-bin \ + ca-certificates dbus \ + # networking, ssh, vnc, sniffers + net-tools netcat-openbsd iproute2 iw bridge-utils \ + openssh-client openssh-server expect \ + tigervnc-viewer xvfb \ + wireless-regdb wireless-tools \ + # zlib / xz / lzma / bz2 / lzo / lz4 / zstd + zlib1g zlib1g-dev liblzma-dev libbz2-dev liblzo2-dev \ + liblz4-dev libzstd-dev libzstd1 \ + # crypto / TLS adjacents. libssl3/libssl-dev are the *stock* Debian + # versions; replace-default mode dpkg-installs wolfprov-patched + # debs on top (and apt-marks them held) at job time. + openssl libssl-dev libssl3 \ + libgcrypt20-dev libgpg-error-dev \ + libgnutls28-dev gnutls-bin \ + libp11-dev libp11-kit-dev libargon2-dev libcbor-dev \ + libcurl4-openssl-dev libidn2-dev libnghttp2-dev nghttp2 \ + libpsl-dev libpsl5 \ + libpcsclite-dev opensc pcsc-tools pcscd \ + libtss2-dev tpm2-tools tpm2-abrmd swtpm softhsm2 \ + libfido2-dev \ + libsasl2-dev libldap2-dev libldb-dev libldb2 \ + libpcre2-dev libpcre3-dev \ + libreadline-dev libsqlite3-dev libpopt-dev libpcap-dev libpcap0.8 \ + libseccomp-dev libwrap0-dev libudev-dev libdevmapper-dev libcap-dev \ + libcap-ng-dev libcap2 libacl1-dev libattr1-dev libblkid-dev \ + libmount-dev libdw-dev libdbus-1-dev libglib2.0-dev \ + libgstreamer1.0-dev gstreamer1.0-plugins-base-apps \ + libhiredis-dev libjansson-dev libjemalloc-dev libjson-c-dev \ + libxml2-dev libcunit1-dev libcmocka-dev libpam0g-dev \ + libpng-dev libjpeg-dev libusb-1.0-0-dev libuv1-dev libverto-dev \ + libavahi-client-dev libavahi-compat-libdnssd-dev libmemcached-dev \ + libutf8proc-dev libxxhash-dev libkeyutils-dev libcom-err2 \ + libcjose-dev libeac-dev libefivar-dev libncurses5-dev \ + libncursesw5-dev libunwind-dev libiberty-dev libltdl-dev libltdl7 \ + libperl-dev linux-libc-dev binutils-dev uuid-dev \ + # X11 (x11vnc, qt5network5) + libx11-dev libxdamage-dev libxext-dev libxfixes-dev libxi-dev \ + libxinerama-dev libxrandr-dev libxss-dev libxtst-dev \ + libxkbcommon-dev libvncserver-dev x11proto-core-dev \ + # netlink (hostap) + libnl-3-dev libnl-route-3-dev libnl-genl-3-dev libnl-genl-3-200 \ + # krb5 build deps (e2fsprogs headers) + comerr-dev ss-dev libss2 \ + # sscep test + scep \ + # extras called out by specific workflows + check apache2-dev acl attr fakeroot \ + asciidoctor docbook-xsl pandoc xsltproc man2html \ + memcached vsftpd pps-tools tshark \ + && rm -rf /var/lib/apt/lists/* + +# Perl modules used by app test suites. Baked in so transient CPAN +# flakes don't poison a PR run. +RUN cpanm --notest \ + Net::DNS \ + Proc::Find Net::SSLeay IO::Socket::SSL \ + && rm -rf /root/.cpanm + +# OpenSSL/wolfSSL come from .deb packages pulled at job time via ORAS. +# We do NOT pre-install them here; the workflows do +# dpkg -i $WOLFSSL_PACKAGES_PATH/libwolfssl_*.deb +# and then apt-mark hold them to stop test-dep apt installs from +# clobbering the wolfprov-patched libssl3. From ab5ab8d082f42b615b48cecb5a75b9ecadad1b02 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 12:38:50 -0700 Subject: [PATCH 10/26] ci: per-owner test-deps image so fork PRs can publish their own (review fix) Was: every workflow pulled ghcr.io/wolfssl/wolfprovider-test-deps:bookworm, which doesn't exist until upstream master runs the publish workflow. Bootstrap chicken-and-egg. Now: publish-test-deps-image.yml fires on any branch push (and PRs) and pushes to ghcr.io//wolfprovider-test-deps:bookworm. Consumer workflows read from the PR head's owner when on a PR, else the running repo's owner. Result: a fork PR publishes to the fork's ghcr namespace and pulls from it; master pushes publish to the org's ghcr namespace and pulls from it. Also fixes copilot review feedback from https://github.com/wolfSSL/wolfProvider/pull/400#pullrequestreview-4358449308 - Phase B log filename renames broke check-workflow-result.sh's hardcoded log paths (curl-test.log, openvpn-test.log, sssd-test.log, net-snmp-test.log, nginx-test.log, openssh-test.log, tcpdump-test.log, liboauth2-test.log, stunnel-test.log) plus in-step greps in cjose, libcryptsetup, libfido2, libhashkit2, libtss2, opensc, python3-ntp, qt5network5, tnftp, tpm2-tools. Reverted log names back to -test.log; second mode overwrites first. - libtss2.yml: fix `if $(grep -q ...)` (invalid shell -- command substitution of grep used as the if condition expanded to an empty command). Use `if grep -q ...; then`. - opensc.yml: fix `TEST_RESULT=$(((grep ...) && echo 0 || echo 1))` (arithmetic expansion `(( ))` can't contain shell commands). Hoist to a check_opensc_log() function called from both modes. - stunnel.yml: `grep -c "failed: 0"` returns 1 on success, but check-workflow-result.sh expects TEST_RESULT==0 for pass. Use `if grep -q ...; then TEST_RESULT=0; else TEST_RESULT=1; fi`. Also mirror tests/logs/results.log to stunnel-test.log so the force-fail check finds the expected file. - hostap.yml: drop continue-on-error from the normal-mode test step. Without it the step's exit code was swallowed and normal-mode test failures didn't fail the job. One-time setup: after this lands, the owner of each fork that opens a PR has to make their ghcr.io//wolfprovider-test-deps package public (GitHub UI: Packages -> Package settings -> Change visibility). GitHub's Actions runners can only pull public packages from another namespace. --- .github/workflows/bind9.yml | 6 +-- .github/workflows/cjose.yml | 6 +-- .github/workflows/curl.yml | 6 +-- .github/workflows/debian-package.yml | 2 +- .github/workflows/git-ssh-dr.yml | 2 +- .github/workflows/grpc.yml | 2 +- .github/workflows/hostap.yml | 4 +- .github/workflows/iperf.yml | 2 +- .github/workflows/krb5.yml | 6 +-- .github/workflows/libcryptsetup.yml | 6 +-- .github/workflows/libeac3.yml | 2 +- .github/workflows/libfido2.yml | 6 +-- .github/workflows/libhashkit2.yml | 6 +-- .github/workflows/libnice.yml | 6 +-- .github/workflows/liboauth2.yml | 6 +-- .github/workflows/librelp.yml | 10 ++--- .github/workflows/libssh2.yml | 6 +-- .github/workflows/libtss2.yml | 6 +-- .github/workflows/libwebsockets.yml | 2 +- .github/workflows/net-snmp.yml | 6 +-- .github/workflows/nginx.yml | 6 +-- .github/workflows/openldap.yml | 6 +-- .github/workflows/opensc.yml | 28 +++++++----- .github/workflows/openssh.yml | 6 +-- .github/workflows/openvpn.yml | 6 +-- .github/workflows/pam-pkcs11.yml | 2 +- .github/workflows/ppp.yml | 6 +-- .github/workflows/publish-test-deps-image.yml | 45 +++++++++++++------ .github/workflows/python3-ntp.yml | 6 +-- .github/workflows/qt5network5.yml | 6 +-- .github/workflows/rsync.yml | 6 +-- .github/workflows/socat.yml | 2 +- .github/workflows/sscep.yml | 2 +- .github/workflows/sssd.yml | 4 +- .github/workflows/stunnel.yml | 25 +++++++---- .github/workflows/systemd.yml | 2 +- .github/workflows/tcpdump.yml | 6 +-- .github/workflows/tnftp.yml | 6 +-- .github/workflows/tpm2-tools.yml | 6 +-- .github/workflows/x11vnc.yml | 4 +- .github/workflows/xmlsec.yml | 2 +- 41 files changed, 155 insertions(+), 125 deletions(-) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index d22e9b2a..58afb6e5 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -148,12 +148,12 @@ jobs: ./bin/tests/system/ifconfig.sh up # --- normal mode --- - make -j$(nproc) check 2>&1 | tee bind9-test-normal.log + make -j$(nproc) check 2>&1 | tee bind9-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" bind9 # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 - make -j$(nproc) check 2>&1 | tee bind9-test-ff.log + make -j$(nproc) check 2>&1 | tee bind9-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" bind9 diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 38b3f142..abce62fd 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -136,7 +136,7 @@ jobs: run: | # --- normal mode --- - make test 2>&1 | tee cjose-test-normal.log + make test 2>&1 | tee cjose-test.log TEST_RESULT=$(grep -q "FAIL: check_cjose" cjose-test.log && echo "1" || echo "0") echo "TEST_RESULT = $TEST_RESULT" $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" cjose @@ -144,7 +144,7 @@ jobs: # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 - make test 2>&1 | tee cjose-test-ff.log + make test 2>&1 | tee cjose-test.log TEST_RESULT=$(grep -q "FAIL: check_cjose" cjose-test.log && echo "1" || echo "0") echo "TEST_RESULT = $TEST_RESULT" $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" cjose diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index f0a287fd..2a2f98b5 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -143,12 +143,12 @@ jobs: export USER=testuser # --- normal mode --- - make -j$(nproc) test-ci 2>&1 | tee curl-test-normal.log + make -j$(nproc) test-ci 2>&1 | tee curl-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" curl # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 - make -j$(nproc) test-ci 2>&1 | tee curl-test-ff.log + make -j$(nproc) test-ci 2>&1 | tee curl-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" curl diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index b8d5461e..771f39ca 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -62,7 +62,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 63e787dc..ea14d70b 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -57,7 +57,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive needs: build_wolfprovider diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index cd7f8643..8b0a3a38 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index b7723cd9..8ee4cf79 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm with privileged access for UML container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm options: --privileged --cap-add=ALL -v /dev:/dev env: DEBIAN_FRONTEND: noninteractive @@ -214,7 +214,6 @@ jobs: - name: Run focused tests (normal mode) id: testing working-directory: hostap/tests/hwsim/ - continue-on-error: true run: | set +e @@ -270,7 +269,6 @@ jobs: - name: Run focused tests (force-fail mode) working-directory: hostap/tests/hwsim/ - continue-on-error: true run: | set +e diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 88a06f06..a48429b4 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 5dfd2b07..2045fb2e 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -158,7 +158,7 @@ jobs: # --- normal mode --- # Run tests and save output - make check 2>&1 | tee krb5-test-normal.log + make check 2>&1 | tee krb5-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" krb5 @@ -166,6 +166,6 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests and save output - make check 2>&1 | tee krb5-test-ff.log + make check 2>&1 | tee krb5-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" krb5 diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 477a53ac..cb562fd8 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -159,7 +159,7 @@ jobs: # from the cryptsetup source root make -j$(nproc) - make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test-normal.log + make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test.log TEST_RESULT=$(grep -q "All 3 tests passed" cryptsetup-test.log && echo "0" || echo "1") printf "TEST_RESULT: $TEST_RESULT\n" $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" cryptsetup @@ -169,7 +169,7 @@ jobs: # from the cryptsetup source root make -j$(nproc) - make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test-ff.log + make -C tests check TESTS="vectors-test run-all-symbols unit-utils-crypt-test" VERBOSE=1 2>&1 | tee cryptsetup-test.log TEST_RESULT=$(grep -q "All 3 tests passed" cryptsetup-test.log && echo "0" || echo "1") printf "TEST_RESULT: $TEST_RESULT\n" $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" cryptsetup diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 730c6092..6bceb27b 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 3e0f7fa9..8ccd78a1 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -56,7 +56,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -150,7 +150,7 @@ jobs: # --- normal mode --- # Run tests, excluding regress_dev which requires hardware/fails in CI - ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test-normal.log + ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test.log # Check test results directly in YAML if grep -q "100% tests passed" libfido2-test.log; then @@ -165,7 +165,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests, excluding regress_dev which requires hardware/fails in CI - ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test-ff.log + ctest --exclude-regex "regress_dev" 2>&1 | tee libfido2-test.log # Check test results directly in YAML if grep -q "100% tests passed" libfido2-test.log; then diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 657df4f8..92fcb83b 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -135,7 +135,7 @@ jobs: run: | # --- normal mode --- # Run tests - make test 2>&1 | tee libhashkit2-test-normal.log + make test 2>&1 | tee libhashkit2-test.log if grep -q "(Failed)" libhashkit2-test.log; then TEST_RESULT=1 else @@ -148,7 +148,7 @@ jobs: # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 # Run tests - make test 2>&1 | tee libhashkit2-test-ff.log + make test 2>&1 | tee libhashkit2-test.log if grep -q "(Failed)" libhashkit2-test.log; then TEST_RESULT=1 else diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index 9e3027d2..be2f83d5 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 @@ -151,7 +151,7 @@ jobs: # --- normal mode --- # Run tests and save output to test.log - ninja -C builddir test 2>&1 | tee libnice_test-normal.log + ninja -C builddir test 2>&1 | tee libnice_test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} @@ -161,7 +161,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests and save output to test.log - ninja -C builddir test 2>&1 | tee libnice_test-ff.log + ninja -C builddir test 2>&1 | tee libnice_test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index a3544276..d78c9766 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 @@ -145,7 +145,7 @@ jobs: # --- normal mode --- # Build and run tests - make check 2>&1 | tee liboauth2-test-normal.log + make check 2>&1 | tee liboauth2-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" liboauth2 @@ -154,7 +154,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Build and run tests - make check 2>&1 | tee liboauth2-test-ff.log + make check 2>&1 | tee liboauth2-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" liboauth2 diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index b4df8f13..588beb36 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -135,12 +135,12 @@ jobs: working-directory: librelp run: | # --- normal mode --- - make check 2>&1 | tee librelp-test-normal.log - TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test-normal.log && echo "0" || echo "1") + make check 2>&1 | tee librelp-test.log + TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test.log && echo "0" || echo "1") $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" librelp # --- force-fail mode --- make clean - WOLFPROV_FORCE_FAIL=1 make check 2>&1 | tee librelp-test-ff.log - TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test-ff.log && echo "0" || echo "1") + WOLFPROV_FORCE_FAIL=1 make check 2>&1 | tee librelp-test.log + TEST_RESULT=$(grep -q "# FAIL: 0" librelp-test.log && echo "0" || echo "1") $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" librelp diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 17629dfb..8ddfb319 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 @@ -148,7 +148,7 @@ jobs: # Run the tests and capture the result set -o pipefail - make check 2>&1 | tee libssh2-test-normal.log + make check 2>&1 | tee libssh2-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" libssh2 @@ -159,6 +159,6 @@ jobs: # Run the tests and capture the result set -o pipefail - make check 2>&1 | tee libssh2-test-ff.log + make check 2>&1 | tee libssh2-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" libssh2 diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 92265630..1dbc121f 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -30,7 +30,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 30 @@ -100,7 +100,7 @@ jobs: source $GITHUB_WORKSPACE/scripts/env-setup # --- normal mode --- make check 2>&1 || true - if $(grep -q "FAIL: test/unit" test-suite.log); then + if grep -q "FAIL: test/unit" test-suite.log; then TEST_RESULT=1 echo "Expected zero failures" else @@ -111,7 +111,7 @@ jobs: # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 make check 2>&1 || true - if $(grep -q "FAIL: test/unit" test-suite.log); then + if grep -q "FAIL: test/unit" test-suite.log; then TEST_RESULT=1 echo "Expected zero failures" else diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 1fc47c72..61462d28 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 22a7357a..edd4b673 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -163,7 +163,7 @@ jobs: # --- normal mode --- autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version - make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test-normal.log + make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" net-snmp @@ -172,7 +172,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version - make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test-ff.log + make -j test TESTOPTS="-e agentxperl" 2>&1 | tee net-snmp-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" net-snmp diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 60f0c4e9..e4f4b0e9 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -141,7 +141,7 @@ jobs: # --- normal mode --- # Run tests and save result - TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test-normal.log + TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test.log TEST_RESULT=$? $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" nginx @@ -149,6 +149,6 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests and save result - TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test-ff.log + TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y TEST_NGINX_BINARY=../nginx/objs/nginx prove -v . 2>&1 | tee nginx-test.log TEST_RESULT=$? $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" nginx diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 9c384a6d..79ef35e7 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -150,7 +150,7 @@ jobs: make -j # --- normal mode --- - make -j check 2>&1 | tee openldap-test-normal.log + make -j check 2>&1 | tee openldap-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openldap @@ -158,7 +158,7 @@ jobs: # WPFF breaks on test 067; cap at 15 min and treat timeout as failure. export WOLFPROV_FORCE_FAIL=1 set +e - timeout 15m make -j check 2>&1 | tee openldap-test-ff.log + timeout 15m make -j check 2>&1 | tee openldap-test.log TEST_RESULT=${PIPESTATUS[0]} set -e if [ $TEST_RESULT -eq 124 ]; then diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 52b1cad9..a87c3d06 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -153,21 +153,25 @@ jobs: shell: bash run: | set +o pipefail # ignore errors from make check - # --- normal mode --- - # Run tests and save output - make check | tee opensc-test-normal.log + check_opensc_log() { + # 18 passes, 2 expected failures expected. + if grep -q "# PASS: 10" opensc-test.log \ + && grep -q "# PASS: 8" opensc-test.log \ + && grep -q "# XFAIL: 2" opensc-test.log; then + echo 0 + else + echo 1 + fi + } - # Check for expected test results in the test log (18 passes, 2 expected failures, with WPFF we expect 6 failures) - TEST_RESULT=$(((grep -q "# PASS: 10" opensc-test.log) && (grep -q "# PASS: 8" opensc-test.log) && (grep -q "# XFAIL: 2" opensc-test.log)) && echo "0" || echo "1") + # --- normal mode --- + make check | tee opensc-test.log + TEST_RESULT=$(check_opensc_log) $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" opensc # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 - - # Run tests and save output - make check | tee opensc-test-ff.log - - # Check for expected test results in the test log (18 passes, 2 expected failures, with WPFF we expect 6 failures) - TEST_RESULT=$(((grep -q "# PASS: 10" opensc-test.log) && (grep -q "# PASS: 8" opensc-test.log) && (grep -q "# XFAIL: 2" opensc-test.log)) && echo "0" || echo "1") + make check | tee opensc-test.log + TEST_RESULT=$(check_opensc_log) $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" opensc diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index f5f34bd2..6d9affd2 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm # Extra permissions needed for Debian Bookworm options: >- --privileged @@ -192,7 +192,7 @@ jobs: export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution # Run all the tests except (t-exec) as it takes too long - make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test-normal.log + make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openssh @@ -231,6 +231,6 @@ jobs: export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution # Run all the tests except (t-exec) as it takes too long - make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test-ff.log + make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" openssh diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 69fe3d04..b06c1583 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive strategy: @@ -152,14 +152,14 @@ jobs: set +o pipefail # ignore errors from make check # --- normal mode --- - make check 2>&1 | tee openvpn-test-normal.log + make check 2>&1 | tee openvpn-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" openvpn # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 set +e - make check 2>&1 | tee openvpn-test-ff.log + make check 2>&1 | tee openvpn-test.log TEST_RESULT=${PIPESTATUS[0]} set -e $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" openvpn diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 1d575887..20f78bcb 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index d4698e19..f9ea12c6 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -58,7 +58,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -161,7 +161,7 @@ jobs: # --- normal mode --- # Run tests - make check 2>&1 | tee ppp-test-normal.log + make check 2>&1 | tee ppp-test.log # Check test results directly in YAML if grep -q "# FAIL: 0" pppd/test-suite.log; then @@ -176,7 +176,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests - make check 2>&1 | tee ppp-test-ff.log + make check 2>&1 | tee ppp-test.log # Check test results directly in YAML if grep -q "# FAIL: 0" pppd/test-suite.log; then diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml index 7f15612c..6c1d9574 100644 --- a/.github/workflows/publish-test-deps-image.yml +++ b/.github/workflows/publish-test-deps-image.yml @@ -1,22 +1,30 @@ name: Publish test-deps image # Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to -# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm. +# ghcr.io//wolfprovider-test-deps:bookworm. # -# Fires when the Dockerfile changes on master, or manually via -# workflow_dispatch. The pushed image is what every Debian-container -# PR workflow consumes (see e.g. bind9.yml's `container:` block). +# Publishes to the namespace of whatever repo this workflow runs in: +# - wolfSSL/wolfProvider master -> ghcr.io/wolfssl/... +# - aidangarske/wolfProvider push -> ghcr.io/aidangarske/... +# +# Consumer workflows pull from the PR head's owner (or the running +# repo's owner on push), so a fork PR can iterate on its own image. +# The owner needs to make the published package public once. on: push: - branches: [ 'master', 'main' ] + branches: [ '**' ] + paths: + - 'docker/wolfprovider-test-deps/**' + - '.github/workflows/publish-test-deps-image.yml' + pull_request: paths: - 'docker/wolfprovider-test-deps/**' - '.github/workflows/publish-test-deps-image.yml' workflow_dispatch: {} concurrency: - group: publish-test-deps-image + group: publish-test-deps-image-${{ github.ref }} cancel-in-progress: false permissions: @@ -27,20 +35,31 @@ jobs: publish: runs-on: ubuntu-22.04 timeout-minutes: 45 + env: + # Lowercase the owner — ghcr.io path components must be lowercase + # even though the GitHub org casing is "wolfSSL". + IMAGE_OWNER: ${{ github.repository_owner }} steps: - uses: actions/checkout@v4 with: fetch-depth: 1 + - name: Compute lowercase image owner + id: owner + run: | + echo "lc=$(echo "${IMAGE_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to ghcr.io - if: github.repository == 'wolfSSL/wolfProvider' + # PR runs from forks have a read-only GITHUB_TOKEN; skip login + # (and skip push below) in that case. + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ github.repository_owner }} + username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push image @@ -48,10 +67,10 @@ jobs: with: context: docker/wolfprovider-test-deps file: docker/wolfprovider-test-deps/Dockerfile - # Only push from the canonical repo; forks just verify it builds. - push: ${{ github.repository == 'wolfSSL/wolfProvider' }} + # Push from push/dispatch always; skip on fork PRs (no perms). + push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} tags: | - ghcr.io/wolfssl/wolfprovider-test-deps:bookworm - ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }} - cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm + ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }} + cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm cache-to: type=inline diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 5ea6931e..83faba96 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive @@ -143,7 +143,7 @@ jobs: # --- normal mode --- # Run tests - ./waf check | tee python3-ntp-test-normal.log + ./waf check | tee python3-ntp-test.log if grep -q "'check' finished successfully" python3-ntp-test.log; then TEST_RESULT=0 else @@ -155,7 +155,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests - ./waf check | tee python3-ntp-test-ff.log + ./waf check | tee python3-ntp-test.log if grep -q "'check' finished successfully" python3-ntp-test.log; then TEST_RESULT=0 else diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index d98da1a7..61a18c03 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -57,7 +57,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 40 @@ -155,7 +155,7 @@ jobs: # --- normal mode --- # Run the QSSLSocket test, the make check takes too long - QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test-normal.log + QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test.log # Check test results based on qt_ref if grep -q "521 passed" qsslsocket-test.log; then @@ -172,7 +172,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run the QSSLSocket test, the make check takes too long - QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test-ff.log + QTEST_ENVIRONMENT=ci ./tests/auto/network/ssl/qsslsocket/tst_qsslsocket 2>&1 | tee qsslsocket-test.log # Check test results based on qt_ref if grep -q "521 passed" qsslsocket-test.log; then diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 23d578d2..6133f130 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -58,7 +58,7 @@ jobs: needs: build_wolfprovider timeout-minutes: 15 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive @@ -136,7 +136,7 @@ jobs: # --- normal mode --- # Run rsync test suite including our SHA test - make check 2>&1 | tee rsync-test-normal.log + make check 2>&1 | tee rsync-test.log # Check test results - look for "0 failed" in the output if grep -q "overall result is 0" rsync-test.log; then @@ -151,7 +151,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run rsync test suite including our SHA test - make check 2>&1 | tee rsync-test-ff.log + make check 2>&1 | tee rsync-test.log # Check test results - look for "0 failed" in the output if grep -q "overall result is 0" rsync-test.log; then diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 5016ee92..1e54ea8b 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider continue-on-error: true container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 30354e88..a2739e4c 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -61,7 +61,7 @@ jobs: needs: build_wolfprovider timeout-minutes: 10 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index a7ea692f..eee0fc4c 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -105,14 +105,14 @@ jobs: grep -q libwolfprov provider-list.log || (echo "ERROR: libwolfprov not found in OpenSSL providers" && exit 1) # --- normal mode --- - make check 2>&1 | tee sssd-test-normal.log + make check 2>&1 | tee sssd-test.log TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" sssd # --- force-fail mode --- export WOLFPROV_FORCE_FAIL=1 set +e - make check 2>&1 | tee sssd-test-ff.log + make check 2>&1 | tee sssd-test.log TEST_RESULT=${PIPESTATUS[0]} set -e $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" sssd diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 57e97a8b..92e6e002 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -176,10 +176,16 @@ jobs: # Use `timeout` since the tests hang with WOLFPROV_FORCE_FAIL=1 timeout 10 make check 2>&1 || true - # grep for "failed: 0" in the results log, indicating success - TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1) + # Mirror the results log so check-workflow-result.sh can find it. + cp -f tests/logs/results.log stunnel-test.log 2>/dev/null || true + + # "failed: 0" present in results.log == success + if grep -q "failed: 0" tests/logs/results.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi echo "Test result: $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" stunnel # --- force-fail mode --- @@ -188,7 +194,7 @@ jobs: # enter venv source myenv/bin/activate - # Set this variable to prevent attempts to load the legacy OpenSSL + # Set this variable to prevent attempts to load the legacy OpenSSL # provider, which we don't support. # This is necessary for OpenSSL 3.0+ to avoid errors related to legacy # algorithms that are not supported by wolfProvider. @@ -201,9 +207,12 @@ jobs: # Results captured in tests/logs/results.log # Use `timeout` since the tests hang with WOLFPROV_FORCE_FAIL=1 timeout 10 make check 2>&1 || true + cp -f tests/logs/results.log stunnel-test.log 2>/dev/null || true - # grep for "failed: 0" in the results log, indicating success - TEST_RESULT=$(grep -c "failed: 0" tests/logs/results.log || echo 1) + if grep -q "failed: 0" tests/logs/results.log; then + TEST_RESULT=0 + else + TEST_RESULT=1 + fi echo "Test result: $TEST_RESULT" - $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" stunnel diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index d22b3a6f..83a09199 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -62,7 +62,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 1fd631ed..dfa4e316 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -58,7 +58,7 @@ jobs: needs: build_wolfprovider continue-on-error: true container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 @@ -154,7 +154,7 @@ jobs: # --- normal mode --- # Run tests - make check 2>&1 | tee tcpdump-test-normal.log + make check 2>&1 | tee tcpdump-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" tcpdump @@ -163,7 +163,7 @@ jobs: export WOLFPROV_FORCE_FAIL=1 # Run tests - make check 2>&1 | tee tcpdump-test-ff.log + make check 2>&1 | tee tcpdump-test.log # Capture the test result using PIPESTATUS (Bash only) TEST_RESULT=${PIPESTATUS[0]} $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" tcpdump diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 9ce1b68b..42909022 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -162,7 +162,7 @@ jobs: echo "Testing SSL/TLS connection..." timeout 15 ./src/tnftp -n https://httpbin.org/get 2>&1 echo "SSL/TLS test completed" - } 2>&1 | tee tnftp-test-normal.log + } 2>&1 | tee tnftp-test.log # Capture result and check for expected failure TEST_RESULT=$(grep -q "SSL context creation failed" tnftp-test.log && echo "1" || echo "0") @@ -198,7 +198,7 @@ jobs: echo "Testing SSL/TLS connection..." timeout 15 ./src/tnftp -n https://httpbin.org/get 2>&1 echo "SSL/TLS test completed" - } 2>&1 | tee tnftp-test-ff.log + } 2>&1 | tee tnftp-test.log # Capture result and check for expected failure TEST_RESULT=$(grep -q "SSL context creation failed" tnftp-test.log && echo "1" || echo "0") diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 8a0ee59d..4fb40e13 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. @@ -145,7 +145,7 @@ jobs: test/unit/test_options test/unit/test_cc_util test/unit/test_tpm2_eventlog \ test/unit/test_tpm2_eventlog_yaml test/unit/test_object \ test/integration/tests/X509certutil test/integration/tests/toggle_options \ - test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test-normal.log + test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test.log # Capture result - Fails test/unit/test_tpm2_policy and test/unit/test_tpm2_eventlog with WPFF TEST_RESULT=$(grep -q "# PASS: 20" tpm2-tools-test.log && echo "0" || echo "1") @@ -162,7 +162,7 @@ jobs: test/unit/test_options test/unit/test_cc_util test/unit/test_tpm2_eventlog \ test/unit/test_tpm2_eventlog_yaml test/unit/test_object \ test/integration/tests/X509certutil test/integration/tests/toggle_options \ - test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test-ff.log + test/integration/tests/rc_decode test/integration/tests/X509certutil" 2>&1 | tee tpm2-tools-test.log # Capture result - Fails test/unit/test_tpm2_policy and test/unit/test_tpm2_eventlog with WPFF TEST_RESULT=$(grep -q "# PASS: 20" tpm2-tools-test.log && echo "0" || echo "1") diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index f00083f8..1de8dcbe 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-22.04 needs: build_wolfprovider container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 10 @@ -170,7 +170,7 @@ jobs: unset WOLFPROV_FORCE_FAIL # Surface the most recent log via the existing follow-up step - export X11VNC_TEST_LOG=/tmp/x11vnc-test-ff.log + export X11VNC_TEST_LOG=/tmp/x11vnc-test.log - name: Show x11vnc test log on failure run: | diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index e541f1d8..49762e36 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -33,7 +33,7 @@ jobs: needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. From b9adb95e1ff6768c115642a3669b5e64a69c26b2 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 12:40:47 -0700 Subject: [PATCH 11/26] docker: drop libunwind-dev; conflicts with libunwind-14-dev on bookworm build fail: libunwind-14-dev : Conflicts: libunwind-dev E: Unable to correct problems, you have held broken packages. libunwind-dev is a virtual that resolves to libunwind-14-dev on bookworm; explicitly requesting it conflicts when another package already pulled in the versioned form. Nothing in our workflows directly asks for libunwind-dev, so just drop it -- it'll come in transitively. --- docker/wolfprovider-test-deps/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/wolfprovider-test-deps/Dockerfile b/docker/wolfprovider-test-deps/Dockerfile index 61ffab04..9d4d14d2 100644 --- a/docker/wolfprovider-test-deps/Dockerfile +++ b/docker/wolfprovider-test-deps/Dockerfile @@ -65,7 +65,7 @@ RUN apt-get update \ libavahi-client-dev libavahi-compat-libdnssd-dev libmemcached-dev \ libutf8proc-dev libxxhash-dev libkeyutils-dev libcom-err2 \ libcjose-dev libeac-dev libefivar-dev libncurses5-dev \ - libncursesw5-dev libunwind-dev libiberty-dev libltdl-dev libltdl7 \ + libncursesw5-dev libiberty-dev libltdl-dev libltdl7 \ libperl-dev linux-libc-dev binutils-dev uuid-dev \ # X11 (x11vnc, qt5network5) libx11-dev libxdamage-dev libxext-dev libxfixes-dev libxi-dev \ From fddae3e126a8eed380b09264b23e16275fdae688 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 13:19:22 -0700 Subject: [PATCH 12/26] ci: dynamic discover-versions; honest matrix labels (review fix) The matrix on every Debian-container workflow was claiming openssl_ref: 'openssl-3.5.4', but the wolfprov .deb on ghcr.io is built by patching Debian Bookworm's stock libssl3 source -- which is currently 3.0.20. So the matrix label has been lying about what's actually installed and tested. The wolfssl_ref was likewise pinned and could drift. Replaces .github/workflows/_discover-wolfssl.yml with .github/workflows/_discover-versions.yml that resolves both at run time: - wolfSSL latest -stable tag via git ls-remote (same as before). - Debian Bookworm's currently-resolvable OpenSSL via `docker run --rm debian:bookworm apt-cache madison openssl`, stripping the Debian revision suffix. Outputs both plain (`wolfssl_ref`) and JSON-array (`wolfssl_ref_array`) forms; matrix consumers use the array form via fromJson. Wired into every workflow that calls build-wolfprovider.yml (38 heavy workflows + openssl-version.yml's wolfssl axis + the three workflows that previously used the wolfssl-only resolver). Each gets a `discover_versions` job that the build_wolfprovider and test_X jobs depend on. Today's resolution: wolfssl=v5.8.4-stable, openssl=openssl-3.0.20. When Bookworm bumps to 3.0.21 (or whenever) the label tracks automatically -- no CI edit needed. --- .github/workflows/_discover-versions.yml | 77 ++++++++++++++++++++++++ .github/workflows/_discover-wolfssl.yml | 43 ------------- .github/workflows/bind9.yml | 16 +++-- .github/workflows/cjose.yml | 16 +++-- .github/workflows/curl.yml | 16 +++-- .github/workflows/debian-package.yml | 16 +++-- .github/workflows/git-ssh-dr.yml | 16 +++-- .github/workflows/grpc.yml | 16 +++-- .github/workflows/hostap.yml | 16 +++-- .github/workflows/iperf.yml | 16 +++-- .github/workflows/krb5.yml | 16 +++-- .github/workflows/libcryptsetup.yml | 16 +++-- .github/workflows/libeac3.yml | 16 +++-- .github/workflows/libfido2.yml | 16 +++-- .github/workflows/libhashkit2.yml | 16 +++-- .github/workflows/libnice.yml | 16 +++-- .github/workflows/liboauth2.yml | 16 +++-- .github/workflows/librelp.yml | 16 +++-- .github/workflows/libssh2.yml | 16 +++-- .github/workflows/libtss2.yml | 4 +- .github/workflows/libwebsockets.yml | 16 +++-- .github/workflows/net-snmp.yml | 16 +++-- .github/workflows/nginx.yml | 16 +++-- .github/workflows/openldap.yml | 16 +++-- .github/workflows/opensc.yml | 16 +++-- .github/workflows/openssh.yml | 16 +++-- .github/workflows/openssl-version.yml | 7 ++- .github/workflows/openvpn.yml | 16 +++-- .github/workflows/pam-pkcs11.yml | 16 +++-- .github/workflows/ppp.yml | 16 +++-- .github/workflows/python3-ntp.yml | 16 +++-- .github/workflows/qt5network5.yml | 16 +++-- .github/workflows/rsync.yml | 16 +++-- .github/workflows/simple.yml | 4 +- .github/workflows/smoke-test.yml | 4 +- .github/workflows/socat.yml | 16 +++-- .github/workflows/sscep.yml | 16 +++-- .github/workflows/stunnel.yml | 16 +++-- .github/workflows/systemd.yml | 16 +++-- .github/workflows/tcpdump.yml | 16 +++-- .github/workflows/tnftp.yml | 16 +++-- .github/workflows/tpm2-tools.yml | 16 +++-- .github/workflows/x11vnc.yml | 16 +++-- .github/workflows/xmlsec.yml | 14 +++-- 44 files changed, 468 insertions(+), 277 deletions(-) create mode 100644 .github/workflows/_discover-versions.yml delete mode 100644 .github/workflows/_discover-wolfssl.yml diff --git a/.github/workflows/_discover-versions.yml b/.github/workflows/_discover-versions.yml new file mode 100644 index 00000000..f82732ab --- /dev/null +++ b/.github/workflows/_discover-versions.yml @@ -0,0 +1,77 @@ +name: Discover wolfSSL + OpenSSL versions + +# Reusable workflow that resolves at run time: +# - latest wolfSSL v*-stable tag (from upstream wolfssl/wolfssl) +# - Debian Bookworm's stock OpenSSL version (matches what the +# wolfprov-patched .deb on ghcr.io was built against) +# +# Consumers use these outputs to populate matrix values so the +# matrix labels honestly reflect what the test actually installed. +# Today: latest -> v5.8.4-stable, openssl -> 3.0.20 (Bookworm stock). +# When Bookworm bumps OpenSSL or wolfSSL ships a new -stable, the +# resolver picks it up without a CI edit. + +on: + workflow_call: + outputs: + wolfssl_ref: + description: 'Plain string, e.g. v5.8.4-stable' + value: ${{ jobs.discover.outputs.wolfssl_ref }} + wolfssl_ref_array: + description: 'JSON array for matrix use, e.g. ["v5.8.4-stable"]' + value: ${{ jobs.discover.outputs.wolfssl_ref_array }} + openssl_ref: + description: 'Plain string, e.g. openssl-3.0.20' + value: ${{ jobs.discover.outputs.openssl_ref }} + openssl_ref_array: + description: 'JSON array for matrix use, e.g. ["openssl-3.0.20"]' + value: ${{ jobs.discover.outputs.openssl_ref_array }} + +jobs: + discover: + name: Resolve wolfSSL + OpenSSL refs + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + wolfssl_ref: ${{ steps.resolve.outputs.wolfssl_ref }} + wolfssl_ref_array: ${{ steps.resolve.outputs.wolfssl_ref_array }} + openssl_ref: ${{ steps.resolve.outputs.openssl_ref }} + openssl_ref_array: ${{ steps.resolve.outputs.openssl_ref_array }} + steps: + - name: Resolve versions + id: resolve + run: | + set -euo pipefail + + # ---- wolfSSL: highest v*-stable tag from upstream ---- + WOLFSSL=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \ + | awk -F/ '{print $NF}' | sort -V | tail -n 1) + if [ -z "${WOLFSSL:-}" ]; then + echo "::error::Could not resolve latest wolfSSL -stable tag" + exit 1 + fi + + # ---- OpenSSL: whatever Debian Bookworm apt-resolves to ---- + # The wolfprov-patched .deb on ghcr.io is built by patching + # Bookworm's stock libssl3 source, so this is the actual + # OpenSSL the Debian-container workflows end up linking against. + # Use docker to ask Bookworm's apt directly, then strip the + # Debian revision (3.0.20-1~deb12u1 -> 3.0.20). + OSSL_RAW=$(docker run --rm debian:bookworm sh -c \ + 'apt-get update -qq >/dev/null 2>&1 && apt-cache madison openssl | head -1' \ + | awk '{print $3}') + if [ -z "${OSSL_RAW:-}" ]; then + echo "::error::Could not resolve Bookworm OpenSSL version" + exit 1 + fi + OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//') + + echo "wolfSSL latest -stable: $WOLFSSL" + echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)" + + { + echo "wolfssl_ref=$WOLFSSL" + echo "wolfssl_ref_array=[\"$WOLFSSL\"]" + echo "openssl_ref=openssl-$OSSL" + echo "openssl_ref_array=[\"openssl-$OSSL\"]" + } >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/_discover-wolfssl.yml b/.github/workflows/_discover-wolfssl.yml deleted file mode 100644 index 465a72e6..00000000 --- a/.github/workflows/_discover-wolfssl.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Discover wolfSSL latest-stable - -# Reusable workflow that resolves the highest v*-stable tag on -# https://github.com/wolfSSL/wolfssl at run time, so consumer workflows -# do not have to be edited every wolfSSL release. Pattern lifted from -# wolfSSL/wolfTPM's .github/workflows/wolfssl-versions-pqc.yml. -# -# Heavy workflows that pull pre-built .deb packages from ghcr.io still -# get whatever the Jenkins debian-export job has published. The -# wolfssl_ref input to build-wolfprovider.yml ends up being -# informational in that case (the package contents are authoritative). -# simple.yml is the one workflow that genuinely consumes this output -# at face value, since it builds wolfSSL from source via -# scripts/build-wolfprovider.sh. - -on: - workflow_call: - outputs: - latest_stable: - description: 'Highest v*-stable tag on wolfSSL master' - value: ${{ jobs.discover.outputs.latest_stable }} - -jobs: - discover: - name: Resolve latest-stable - runs-on: ubuntu-latest - timeout-minutes: 5 - outputs: - latest_stable: ${{ steps.resolve.outputs.latest_stable }} - steps: - - name: Resolve latest -stable wolfSSL tag - id: resolve - run: | - set -euo pipefail - # ls-remote is ~1s and avoids cloning just to read tag names. - LATEST=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \ - | awk -F/ '{print $NF}' | sort -V | tail -n 1) - if [ -z "${LATEST:-}" ]; then - echo "::error::Could not resolve latest wolfSSL -stable tag from remote" - exit 1 - fi - echo "Latest stable wolfSSL: $LATEST" - echo "latest_stable=$LATEST" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 58afb6e5..98d41c2a 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_bind: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: bind_ref: [ 'v9.18.28' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index abce62fd..8b23219e 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_cjose: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -71,8 +75,8 @@ jobs: matrix: # Dont test osp master since it might be unstable cjose_ref: [ 'v0.6.2.1' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 2a2f98b5..f6ef0a12 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_curl: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -70,8 +74,8 @@ jobs: matrix: # PR runs latest curl only. Older refs are exercised at release time. curl_ref: [ 'curl-8_4_0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 771f39ca..c163c0e0 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,8 +54,8 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true, false ] @@ -59,7 +63,7 @@ jobs: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: libwolfprov ${{ matrix.replace_default && 'replace-default' || 'standalone' }} ${{ matrix.fips_ref }} runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -70,8 +74,8 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true, false ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index ea14d70b..2a9837b2 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -36,8 +36,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -48,8 +52,8 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] @@ -60,14 +64,14 @@ jobs: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. timeout-minutes: 20 strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # PR matrix: 2 of 4 key types and 3 iterations. diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 8b0a3a38..9f81c77d 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_grpc: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -76,8 +80,8 @@ jobs: ssl_transport_security_test ssl_transport_security_utils_test test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test h2_ssl_cert_test h2_ssl_session_reuse_test - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 8ee4cf79..3f3bd778 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_hostap: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm with privileged access for UML container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -71,8 +75,8 @@ jobs: fail-fast: false matrix: hostap_ref: [ 'main' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential VM test rounds below diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index a48429b4..3645a03f 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_iperf: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: iperf_ref: [ '3.12' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 2045fb2e..da79e6e8 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_krb5: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: krb5_ref: [ 'krb5-1.20.1-final' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index cb562fd8..a89dd64e 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_cryptsetup: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: cryptsetup_ref: [ 'v2.6.1' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 6bceb27b..5cbcf1e6 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libeac3: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: openpace_ref: [ '1.1.3' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 8ccd78a1..4d6acf14 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -34,8 +34,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -46,15 +50,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libfido2: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -64,8 +68,8 @@ jobs: fail-fast: false matrix: libfido2_ref: [ '1.15.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 92fcb83b..49e4934a 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libhashkit2: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: libhashkit2_ref: [ '1.1.4' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index be2f83d5..9ccc7f9b 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libnice: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -68,8 +72,8 @@ jobs: fail-fast: false matrix: libnice_ref: [ '0.1.21' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index d78c9766..70655cca 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_liboauth2: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -68,8 +72,8 @@ jobs: fail-fast: false matrix: liboauth2_ref: [ 'v1.4.5.4' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index 588beb36..7a3d6354 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_librelp: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -71,8 +75,8 @@ jobs: matrix: # Dont test osp master since it might be unstable librelp_ref: [ 'v1.12.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 8ddfb319..c1cdc7d9 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libssh2: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -68,8 +72,8 @@ jobs: fail-fast: false matrix: libssh2_ref: [ 'libssh2-1.10.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 1dbc121f..285da8bf 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -23,7 +23,7 @@ concurrency: jobs: discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - uses: ./.github/workflows/_discover-wolfssl.yml + uses: ./.github/workflows/_discover-versions.yml test_tpm2_tss: needs: discover_versions @@ -63,7 +63,7 @@ jobs: - name: Build wolfProvider run: | OPENSSL_TAG=${{ matrix.openssl_ref }} \ - WOLFSSL_TAG=${{ needs.discover_versions.outputs.latest_stable }} \ + WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh - name: Checkout tpm2-tss diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 61462d28..9d0ad4ec 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_libwebsockets: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: libwebsockets_ref: [ 'v4.3.3' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index edd4b673..38757c83 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_net_snmp: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: net_snmp_ref: [ 'v5.9.3' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index e4f4b0e9..2526c844 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_nginx: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: nginx_ref: [ 'release-1.27.4' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 79ef35e7..74a884f6 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_openldap: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: openldap_ref: [ 'OPENLDAP_REL_ENG_2_6_7' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index a87c3d06..9b6ac2a7 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_opensc: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: opensc_ref: [ '0.25.1' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 6d9affd2..6e5df6de 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_openssh: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm # Extra permissions needed for Debian Bookworm @@ -80,8 +84,8 @@ jobs: matrix: # PR runs latest openssh only. Older refs exercised at release time. openssh_ref: [ 'V_10_0_P2' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'non-FIPS' ] # FIPS is not yet supported for OpenSSH replace_default: [ true ] env: diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index d018908c..69e5b7e0 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -25,7 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + openssl_version_test: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false continue-on-error: true name: OpenSSL Version Test @@ -34,7 +39,7 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: ['v5.8.4-stable'] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: [ 'openssl-3.0.3', 'openssl-3.0.5', diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index b06c1583..4e6845b7 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_openvpn: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. timeout-minutes: 20 container: @@ -70,8 +74,8 @@ jobs: matrix: # Dont test master since it might be too unstable openvpn_ref: [ 'v2.6.12' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 20f78bcb..7ff64731 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_pam_pkcs11: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: pam_pkcs11_ref: [ 'pam_pkcs11-0.6.12' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index f9ea12c6..1b352ee9 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -36,8 +36,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -48,15 +52,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_ppp: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: # specifically the lack of a test suite, necessary configure options, # and compatibility with newer versions of openssl ppp_ref: [ 'v2.5.2' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 83faba96..90c5ddfd 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_python3-ntp: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. timeout-minutes: 20 container: @@ -73,8 +77,8 @@ jobs: fail-fast: false matrix: python3-ntp_ref: [ 'NTPsec_1_2_2' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] steps: diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 61a18c03..2440e9b0 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -35,8 +35,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -47,15 +51,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_qtbase_network: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -65,8 +69,8 @@ jobs: fail-fast: false matrix: qt_ref: [ 'v5.15.8-lts-lgpl' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 6133f130..0e3f5f2b 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -35,8 +35,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -47,15 +51,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_rsync: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] timeout-minutes: 15 container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: rsync_ref: [ 'v3.2.7' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] steps: diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 0f595f0d..a73ab602 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -27,7 +27,7 @@ concurrency: jobs: discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - uses: ./.github/workflows/_discover-wolfssl.yml + uses: ./.github/workflows/_discover-versions.yml simple_test: needs: discover_versions @@ -57,7 +57,7 @@ jobs: - name: Build and test wolfProvider run: | OPENSSL_TAG=${{ matrix.openssl_ref }} \ - WOLFSSL_TAG=${{ needs.discover_versions.outputs.latest_stable }} \ + WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} - name: Print errors diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index b294de6d..bf34eaa9 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -34,7 +34,7 @@ permissions: jobs: discover_versions: - uses: ./.github/workflows/_discover-wolfssl.yml + uses: ./.github/workflows/_discover-versions.yml smoke: needs: discover_versions @@ -61,7 +61,7 @@ jobs: - name: Build and test wolfProvider run: | # Substitute the resolved latest-stable for the "stable" matrix row. - WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.latest_stable }}" + WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.wolfssl_ref }}" OPENSSL_TAG=${{ matrix.openssl_ref }} \ WOLFSSL_TAG="$WOLFSSL_TAG" \ ./scripts/build-wolfprovider.sh diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 1e54ea8b..ecdd6de4 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_socat: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] continue-on-error: true container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -70,8 +74,8 @@ jobs: fail-fast: false matrix: socat_ref: [ 'socat-1.8.0.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index a2739e4c..ed7bad59 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_sscep: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] timeout-minutes: 10 container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -72,8 +76,8 @@ jobs: fail-fast: false matrix: sscep_ref: [ 'v0.10.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 92e6e002..b3580a88 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_stunnel: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: stunnel_ref: [ 'stunnel-5.67' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index 83a09199..c7edcb3d 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_systemd: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. timeout-minutes: 20 container: @@ -72,8 +76,8 @@ jobs: fail-fast: false matrix: systemd_ref: [ 'v254' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] steps: diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index dfa4e316..d3c34114 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -35,8 +35,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -47,15 +51,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_tcpdump: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] continue-on-error: true container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -66,8 +70,8 @@ jobs: fail-fast: false matrix: tcpdump_ref: [ 'tcpdump-4.99.3' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 42909022..cd3f5f6f 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_tnftp: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: tnftp_ref: [ 'tnftp-20210827' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 4fb40e13..84a0a0f6 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_tpm2_tools: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -69,8 +73,8 @@ jobs: fail-fast: false matrix: tpm2_tools_ref: [ '5.7' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 1de8dcbe..a4c6029e 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -38,8 +38,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: - needs: wait_for_smoke + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/build-wolfprovider.yml with: @@ -50,15 +54,15 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_x11vnc: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm env: @@ -68,8 +72,8 @@ jobs: fail-fast: false matrix: x11vnc_ref: [ '0.9.17' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] env: diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 49762e36..c241964e 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -13,6 +13,10 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + build_wolfprovider: uses: ./.github/workflows/build-wolfprovider.yml with: @@ -23,14 +27,14 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] test_xmlsec: runs-on: ubuntu-22.04 - needs: build_wolfprovider + needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -42,8 +46,8 @@ jobs: fail-fast: false matrix: xmlsec_ref: [ 'xmlsec-1_2_37' ] - wolfssl_ref: [ 'v5.8.4-stable' ] - openssl_ref: [ 'openssl-3.5.4' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] # force_fail collapsed into sequential runs in the test step From b249331a2b3d4df982fb71224b134ab24d683a54 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 13:43:02 -0700 Subject: [PATCH 13/26] ci: split OSP integration tests to nightly + add ASan/UBSan PR CI was burning runner time on 40 OSP integration workflows that each spin up multiple matrix jobs, install a Debian container, install .debs, and run upstream test suites -- on every push. That's the runner-throttling we've been hitting. Move all of that to nightly. OSP workflows -> reusable + dispatch-only ========================================= 40 workflows converted from `on: pull_request + push` to `on: workflow_call + workflow_dispatch`. PRs no longer trigger them. The `wait_for_smoke` job inside each is removed -- nightly doesn't have a smoke gate (smoke gates the open-PR fast feedback loop, not scheduled runs). Upstream matrices restored where Phase A had trimmed them: - curl: curl_ref back to [curl-8_4_0, curl-7_88_1] - openssh: openssh_ref back to [V_10_0_P2, V_9_9_P1] - git-ssh-dr: key_type back to all four, iterations back to 10 The 40 OSPs: bind9, cjose, curl, debian-package, git-ssh-dr, grpc, hostap, iperf, krb5, libcryptsetup, libeac3, libfido2, libhashkit2, libnice, liboauth2, librelp, libssh2, libtss2, libwebsockets, net-snmp, nginx, openldap, opensc, openssh, openvpn, pam-pkcs11, ppp, python3-ntp, qt5network5, rsync, socat, sscep, sssd, stunnel, systemd, tcpdump, tnftp, tpm2-tools, x11vnc, xmlsec. New nightly orchestrator (.github/workflows/nightly-osp.yml) ============================================================ `schedule: 0 6 * * *` + workflow_dispatch. Fans out all 40 OSP workflows in parallel via `uses:` and aggregates results in a `notify` job that: - Always runs (`if: always()`) so failures don't suppress the report. - Parses `toJSON(needs)` to build pass/fail lists with jq: to_entries[] | select(.value.result != "success") | "\(.key) (\(.value.result))" (the `[]` stream is load-bearing -- `map(...)` then `.[].key` inside a string template is malformed jq.) - Posts a green/red Slack attachment to SLACK_WEBHOOK_URL, with `curl -fsS` so HTTP errors actually fail the workflow. - Writes the same summary to $GITHUB_STEP_SUMMARY so the run page is readable even when SLACK_WEBHOOK_URL isn't set. - SLACK_WEBHOOK_URL is read at JOB-level env so the step `if:` can see it. Step-level env is not in scope for that step's own `if:`. ASan + UBSan workflow (.github/workflows/sanitizers.yml) ======================================================== Builds OpenSSL, wolfSSL, and wolfProvider from source under -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -static-libasan, then runs do-cmd-tests.sh against the instrumented binaries. ASAN_OPTIONS and UBSAN_OPTIONS set to halt on first hit so we don't drown in cascades. Versions come from _discover-versions.yml. Gated on smoke. Runs on PR. wait_for_smoke kept where it matters ==================================== After the OSP move, the PR-triggered workflows that build wolfProvider all gate on smoke: simple, cmdline, fips-ready, openssl-version, seed-src, multi-compiler, sanitizers. codespell stays ungated (it doesn't build wolfprov). Requires repo secret SLACK_WEBHOOK_URL for the Slack push to fire; absent it the workflow still runs and writes the summary to the job output. --- .github/workflows/bind9.yml | 44 +----- .github/workflows/cjose.yml | 44 +----- .github/workflows/cmdline.yml | 14 ++ .github/workflows/curl.yml | 47 ++---- .github/workflows/debian-package.yml | 44 +----- .github/workflows/fips-ready.yml | 14 ++ .github/workflows/git-ssh-dr.yml | 48 ++---- .github/workflows/grpc.yml | 44 +----- .github/workflows/hostap.yml | 44 +----- .github/workflows/iperf.yml | 44 +----- .github/workflows/krb5.yml | 44 +----- .github/workflows/libcryptsetup.yml | 44 +----- .github/workflows/libeac3.yml | 44 +----- .github/workflows/libfido2.yml | 44 ++---- .github/workflows/libhashkit2.yml | 44 +----- .github/workflows/libnice.yml | 44 +----- .github/workflows/liboauth2.yml | 44 +----- .github/workflows/librelp.yml | 44 +----- .github/workflows/libssh2.yml | 44 +----- .github/workflows/libtss2.yml | 28 ++-- .github/workflows/libwebsockets.yml | 44 +----- .github/workflows/net-snmp.yml | 44 +----- .github/workflows/nginx.yml | 44 +----- .github/workflows/nightly-osp.yml | 212 ++++++++++++++++++++++++++ .github/workflows/openldap.yml | 44 +----- .github/workflows/opensc.yml | 44 +----- .github/workflows/openssh.yml | 47 ++---- .github/workflows/openssl-version.yml | 15 +- .github/workflows/openvpn.yml | 44 +----- .github/workflows/pam-pkcs11.yml | 44 +----- .github/workflows/ppp.yml | 42 +---- .github/workflows/python3-ntp.yml | 44 +----- .github/workflows/qt5network5.yml | 43 ++---- .github/workflows/rsync.yml | 43 ++---- .github/workflows/sanitizers.yml | 115 ++++++++++++++ .github/workflows/seed-src.yml | 14 ++ .github/workflows/simple.yml | 15 +- .github/workflows/socat.yml | 44 +----- .github/workflows/sscep.yml | 44 +----- .github/workflows/sssd.yml | 27 +--- .github/workflows/stunnel.yml | 44 +----- .github/workflows/systemd.yml | 44 +----- .github/workflows/tcpdump.yml | 43 ++---- .github/workflows/tnftp.yml | 44 +----- .github/workflows/tpm2-tools.yml | 44 +----- .github/workflows/x11vnc.yml | 44 +----- .github/workflows/xmlsec.yml | 15 +- 47 files changed, 725 insertions(+), 1377 deletions(-) create mode 100644 .github/workflows/nightly-osp.yml create mode 100644 .github/workflows/sanitizers.yml diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 98d41c2a..229fadc2 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -1,50 +1,23 @@ name: Bind9 Tests -# START OF COMMON SECTION +# OSP integration test for Bind9 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_bind: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 8b23219e..f6d96220 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -1,50 +1,23 @@ name: cjose Tests -# START OF COMMON SECTION +# OSP integration test for cjose Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_cjose: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index c09dd047..a750025f 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + cmdtest_test: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Command line test runs-on: ubuntu-22.04 diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index f6ef0a12..d4cd881e 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -1,50 +1,23 @@ name: Curl Tests -# START OF COMMON SECTION +# OSP integration test for Curl Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_curl: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: @@ -72,8 +44,7 @@ jobs: strategy: fail-fast: false matrix: - # PR runs latest curl only. Older refs are exercised at release time. - curl_ref: [ 'curl-8_4_0' ] + curl_ref: [ 'curl-8_4_0', 'curl-7_88_1' ] wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index c163c0e0..70e87ba6 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -1,50 +1,23 @@ name: Debian Package Test -# START OF COMMON SECTION +# OSP integration test for Debian Package Test. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true, false ] libwolfprov-replace-default: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: libwolfprov ${{ matrix.replace_default && 'replace-default' || 'standalone' }} ${{ matrix.fips_ref }} runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index 69fa42b5..3749b548 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + fips_ready_test: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: FIPS Ready Bundle Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 2a9837b2..0f2248dd 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -1,48 +1,23 @@ name: Git SSH Default Replace Tests +# OSP integration test for Git SSH Default Replace Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -58,7 +33,6 @@ jobs: replace_default: [ true ] git-ssh-default-replace-test: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm @@ -74,10 +48,8 @@ jobs: openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'FIPS', 'non-FIPS' ] replace_default: [ true ] - # PR matrix: 2 of 4 key types and 3 iterations. - # Other key_types and longer soak runs are exercised at release time. - key_type: [ 'rsa', 'ed25519' ] - iterations: [ 3 ] + key_type: [ 'rsa', 'ecdsa', 'ed25519', 'chacha20-poly1305' ] + iterations: [ 10 ] # Total of 80 runs # force_fail collapsed into sequential runs in the test step env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 9f81c77d..3a77b524 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -1,50 +1,23 @@ name: gRPC Tests -# START OF COMMON SECTION +# OSP integration test for gRPC Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_grpc: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 3f3bd778..a0cb0a72 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -1,50 +1,23 @@ name: hostap and wpa supplicant Tests -# START OF COMMON SECTION +# OSP integration test for hostap and wpa supplicant Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**'] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_hostap: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm with privileged access for UML diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 3645a03f..9200341f 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -1,50 +1,23 @@ name: iperf Tests -# START OF COMMON SECTION +# OSP integration test for iperf Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_iperf: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index da79e6e8..9e724565 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -1,50 +1,23 @@ name: KRB5 Tests -# START OF COMMON SECTION +# OSP integration test for KRB5 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_krb5: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index a89dd64e..ed96fef6 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -1,50 +1,23 @@ name: Libcryptsetup Tests -# START OF COMMON SECTION +# OSP integration test for Libcryptsetup Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_cryptsetup: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 5cbcf1e6..c67f5a3b 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -1,50 +1,23 @@ name: libeac3 Tests -# START OF COMMON SECTION +# OSP integration test for libeac3 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_libeac3: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 4d6acf14..768979a1 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -1,46 +1,23 @@ name: libfido2 Tests + +# OSP integration test for libfido2 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -56,7 +33,6 @@ jobs: replace_default: [ true ] test_libfido2: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 49e4934a..4f78eaf2 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -1,50 +1,23 @@ name: libhashkit2 Tests -# START OF COMMON SECTION +# OSP integration test for libhashkit2 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_libhashkit2: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index 9ccc7f9b..512aefb4 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -1,50 +1,23 @@ name: libnice Tests -# START OF COMMON SECTION +# OSP integration test for libnice Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_libnice: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index 70655cca..b397f36d 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -1,50 +1,23 @@ name: liboauth2 Tests -# START OF COMMON SECTION +# OSP integration test for liboauth2 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_liboauth2: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index 7a3d6354..f7deced0 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -1,50 +1,23 @@ name: librelp Tests -# START OF COMMON SECTION +# OSP integration test for librelp Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_librelp: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index c1cdc7d9..05ddfc50 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -1,50 +1,23 @@ name: libssh2 Tests -# START OF COMMON SECTION +# OSP integration test for libssh2 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_libssh2: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 285da8bf..cb2d02ce 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -1,33 +1,23 @@ name: tpm2-tss Tests + +# OSP integration test for tpm2-tss Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml test_tpm2_tss: needs: discover_versions - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 container: image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 9d0ad4ec..67ed9519 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -1,50 +1,23 @@ name: libwebsockets Tests -# START OF COMMON SECTION +# OSP integration test for libwebsockets Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_libwebsockets: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 38757c83..e40eaee7 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -1,50 +1,23 @@ name: Net-SNMP Tests -# START OF COMMON SECTION +# OSP integration test for Net-SNMP Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_net_snmp: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 2526c844..0ba24058 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -1,50 +1,23 @@ name: Nginx Tests -# START OF COMMON SECTION +# OSP integration test for Nginx Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_nginx: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/nightly-osp.yml b/.github/workflows/nightly-osp.yml new file mode 100644 index 00000000..e679425e --- /dev/null +++ b/.github/workflows/nightly-osp.yml @@ -0,0 +1,212 @@ +name: Nightly OSP Suite + +# Nightly orchestrator that runs every OSP (Open Source Project) +# integration workflow against the latest stable wolfSSL and the +# current Debian Bookworm OpenSSL. Each OSP workflow is a reusable +# (workflow_call) workflow; this file just fans them out in parallel +# and reports an aggregate status to Slack. +# +# PR CI does NOT run these -- it stays cheap (smoke + simple + a few +# internal checks). Nightly is where the full matrix lives. + +on: + schedule: + # 06:00 UTC daily. Pick a time when shared-runner contention is low + # so the matrix doesn't fight PR CI. + - cron: '0 6 * * *' + workflow_dispatch: + inputs: + reason: + description: 'Why are we triggering manually? (annotation only)' + required: false + default: 'manual nightly run' + +permissions: + contents: read + packages: read + actions: read + +concurrency: + group: nightly-osp + cancel-in-progress: false + +jobs: + # Each entry below fires the corresponding OSP workflow as a reusable. + # Adding a new OSP workflow? Drop a `:` block here too. + bind9: { uses: ./.github/workflows/bind9.yml } + cjose: { uses: ./.github/workflows/cjose.yml } + curl: { uses: ./.github/workflows/curl.yml } + debian-package: { uses: ./.github/workflows/debian-package.yml } + git-ssh-dr: { uses: ./.github/workflows/git-ssh-dr.yml } + grpc: { uses: ./.github/workflows/grpc.yml } + hostap: { uses: ./.github/workflows/hostap.yml } + iperf: { uses: ./.github/workflows/iperf.yml } + krb5: { uses: ./.github/workflows/krb5.yml } + libcryptsetup: { uses: ./.github/workflows/libcryptsetup.yml } + libeac3: { uses: ./.github/workflows/libeac3.yml } + libfido2: { uses: ./.github/workflows/libfido2.yml } + libhashkit2: { uses: ./.github/workflows/libhashkit2.yml } + libnice: { uses: ./.github/workflows/libnice.yml } + liboauth2: { uses: ./.github/workflows/liboauth2.yml } + librelp: { uses: ./.github/workflows/librelp.yml } + libssh2: { uses: ./.github/workflows/libssh2.yml } + libtss2: { uses: ./.github/workflows/libtss2.yml } + libwebsockets: { uses: ./.github/workflows/libwebsockets.yml } + net-snmp: { uses: ./.github/workflows/net-snmp.yml } + nginx: { uses: ./.github/workflows/nginx.yml } + openldap: { uses: ./.github/workflows/openldap.yml } + opensc: { uses: ./.github/workflows/opensc.yml } + openssh: { uses: ./.github/workflows/openssh.yml } + openvpn: { uses: ./.github/workflows/openvpn.yml } + pam-pkcs11: { uses: ./.github/workflows/pam-pkcs11.yml } + ppp: { uses: ./.github/workflows/ppp.yml } + python3-ntp: { uses: ./.github/workflows/python3-ntp.yml } + qt5network5: { uses: ./.github/workflows/qt5network5.yml } + rsync: { uses: ./.github/workflows/rsync.yml } + socat: { uses: ./.github/workflows/socat.yml } + sscep: { uses: ./.github/workflows/sscep.yml } + sssd: { uses: ./.github/workflows/sssd.yml } + stunnel: { uses: ./.github/workflows/stunnel.yml } + systemd: { uses: ./.github/workflows/systemd.yml } + tcpdump: { uses: ./.github/workflows/tcpdump.yml } + tnftp: { uses: ./.github/workflows/tnftp.yml } + tpm2-tools: { uses: ./.github/workflows/tpm2-tools.yml } + x11vnc: { uses: ./.github/workflows/x11vnc.yml } + xmlsec: { uses: ./.github/workflows/xmlsec.yml } + + notify: + name: Slack notification + needs: + - bind9 + - cjose + - curl + - debian-package + - git-ssh-dr + - grpc + - hostap + - iperf + - krb5 + - libcryptsetup + - libeac3 + - libfido2 + - libhashkit2 + - libnice + - liboauth2 + - librelp + - libssh2 + - libtss2 + - libwebsockets + - net-snmp + - nginx + - openldap + - opensc + - openssh + - openvpn + - pam-pkcs11 + - ppp + - python3-ntp + - qt5network5 + - rsync + - socat + - sscep + - sssd + - stunnel + - systemd + - tcpdump + - tnftp + - tpm2-tools + - x11vnc + - xmlsec + if: always() + runs-on: ubuntu-latest + # Job-level env so step `if:` blocks can see SLACK_WEBHOOK_URL -- + # step-level `env:` is not available to the same step's `if:` + # because the expression is evaluated before the env mapping is + # exported. Setting at the job level avoids that ordering trap. + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + steps: + - name: Compose summary + id: summary + env: + NEEDS_JSON: ${{ toJSON(needs) }} + RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + run: | + set -euo pipefail + # Pass/fail lists. Use `to_entries[]` (stream) so each result + # is its own object inside the string interpolation -- doing + # this inside a `map(...)` would make .[].key stream multiple + # values into a single template slot, which is malformed jq. + PASSED=$(echo "$NEEDS_JSON" | jq -r ' + to_entries[] + | select(.value.result == "success") + | .key' | sort) + FAILED=$(echo "$NEEDS_JSON" | jq -r ' + to_entries[] + | select(.value.result != "success") + | "\(.key) (\(.value.result))"' | sort) + PASS_COUNT=$(echo "$PASSED" | grep -c . || echo 0) + FAIL_COUNT=$(echo "$FAILED" | grep -c . || echo 0) + TOTAL=$((PASS_COUNT + FAIL_COUNT)) + + if [ "$FAIL_COUNT" -eq 0 ]; then + COLOR="good" + TITLE=":large_green_circle: Nightly OSP: ALL ${TOTAL} PASSED" + DETAILS="All OSP workflows green for $(date -u +%Y-%m-%d)." + else + COLOR="danger" + TITLE=":red_circle: Nightly OSP: ${FAIL_COUNT} of ${TOTAL} FAILED" + DETAILS=$'Failed:\n```\n'"${FAILED}"$'\n```' + fi + + { + echo "color=$COLOR" + echo "title<> "$GITHUB_OUTPUT" + + - name: Post to Slack + # Skip silently when the webhook isn't configured (forks, manual + # dispatch by someone without the secret, etc.). The `env` is + # job-level above, which is what makes this `if:` work. + if: env.SLACK_WEBHOOK_URL != '' + env: + TITLE: ${{ steps.summary.outputs.title }} + DETAILS: ${{ steps.summary.outputs.details }} + COLOR: ${{ steps.summary.outputs.color }} + run: | + set -euo pipefail + PAYLOAD=$(jq -n \ + --arg title "$TITLE" \ + --arg details "$DETAILS" \ + --arg color "$COLOR" \ + '{ + attachments: [{ + color: $color, + title: $title, + text: $details, + mrkdwn_in: ["text"] + }] + }') + # -f makes curl exit non-zero on HTTP >= 400 so the workflow + # actually fails if Slack rejects the payload. + curl -fsS -X POST -H 'Content-type: application/json' \ + --data "$PAYLOAD" "$SLACK_WEBHOOK_URL" >/dev/null + + - name: Log to job output (always) + # So you can read the same summary in the GitHub UI even when + # Slack isn't configured. + env: + TITLE: ${{ steps.summary.outputs.title }} + DETAILS: ${{ steps.summary.outputs.details }} + run: | + { + echo "## $TITLE" + echo "" + echo "$DETAILS" + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 74a884f6..f95311b0 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -1,50 +1,23 @@ name: OpenLDAP Tests -# START OF COMMON SECTION +# OSP integration test for OpenLDAP Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_openldap: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 9b6ac2a7..2e286ff4 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -1,50 +1,23 @@ name: OpenSC Tests -# START OF COMMON SECTION +# OSP integration test for OpenSC Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_opensc: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 6e5df6de..d940a643 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -1,50 +1,23 @@ name: openssh Tests -# START OF COMMON SECTION +# OSP integration test for openssh Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_openssh: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: @@ -82,8 +54,7 @@ jobs: strategy: fail-fast: false matrix: - # PR runs latest openssh only. Older refs exercised at release time. - openssh_ref: [ 'V_10_0_P2' ] + openssh_ref: [ 'V_10_0_P2', 'V_9_9_P1' ] wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }} fips_ref: [ 'non-FIPS' ] # FIPS is not yet supported for OpenSSH diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 69e5b7e0..06474b26 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -25,12 +25,25 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml openssl_version_test: - needs: discover_versions + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false continue-on-error: true name: OpenSSL Version Test diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 4e6845b7..1c19a2cf 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -1,50 +1,23 @@ name: OpenVPN Tests -# START OF COMMON SECTION +# OSP integration test for OpenVPN Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_openvpn: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 7ff64731..e7851b12 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -1,50 +1,23 @@ name: pam-pkcs11 Tests -# START OF COMMON SECTION +# OSP integration test for pam-pkcs11 Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_pam_pkcs11: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 1b352ee9..b231c022 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -1,48 +1,23 @@ name: PPP Tests +# OSP integration test for PPP Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -58,7 +33,6 @@ jobs: replace_default: [ true ] test_ppp: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 90c5ddfd..608f1f3e 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -1,50 +1,23 @@ name: python3-ntp Tests -# START OF COMMON SECTION +# OSP integration test for python3-ntp Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_python3-ntp: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 2440e9b0..ea93cb7b 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -1,47 +1,23 @@ name: qtbase Network Tests + +# OSP integration test for qtbase Network Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -57,7 +33,6 @@ jobs: replace_default: [ true ] test_qtbase_network: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 0e3f5f2b..33cb1d3d 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -1,47 +1,23 @@ name: rsync Tests + +# OSP integration test for rsync Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -57,7 +33,6 @@ jobs: replace_default: [ true ] test_rsync: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] timeout-minutes: 15 diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml new file mode 100644 index 00000000..25c6198f --- /dev/null +++ b/.github/workflows/sanitizers.yml @@ -0,0 +1,115 @@ +name: Sanitizers (ASan + UBSan) + +# Build wolfSSL, OpenSSL, and wolfProvider from source with +# -fsanitize=address,undefined, then run the cmd-test suite under the +# instrumented binaries. Catches use-after-free, double-free, OOB +# read/write, and undefined behavior (signed overflow, alignment, +# misuse of bool, etc.). +# +# Static libasan is used so the wolfProvider .so picks it up without +# the test runner needing LD_PRELOAD. Detect-leaks stays on to surface +# anything we're forgetting to free. + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + + sanitizers: + needs: [wait_for_smoke, discover_versions] + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + name: ASan+UBSan (wolfSSL ${{ needs.discover_versions.outputs.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }}) + runs-on: ubuntu-22.04 + # Sanitizers add ~2-3x to build/test time vs. a plain build. + timeout-minutes: 45 + env: + # Surface every report. halt_on_error=1 fails the first time we + # touch UB so we don't drown in cascades. + ASAN_OPTIONS: detect_leaks=1:halt_on_error=1:abort_on_error=1:print_stacktrace=1 + UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1 + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Install host build deps + # Bare runner -- not the test-deps container -- because we're + # building OpenSSL/wolfssl from source against the host toolchain. + run: | + sudo apt-get update + sudo apt-get install -y \ + build-essential autoconf automake libtool pkg-config \ + git curl wget patch m4 gettext + + - name: Build wolfProvider with sanitizers + env: + # Static libasan so the wolfProvider .so embeds it; otherwise + # the runtime needs LD_PRELOAD and ordering issues bite. + SAN_FLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g" + SAN_LDFLAGS: "-fsanitize=address,undefined -static-libasan" + OPENSSL_CFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g -static-libasan" + OPENSSL_CXXFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g -static-libasan" + OPENSSL_LDFLAGS: "-fsanitize=address,undefined -static-libasan" + run: | + # wolfSSL and wolfProvider build scripts accept _CONFIG_CFLAGS + # via env; append the sanitizer flags so all three layers + # (OpenSSL, wolfSSL, wolfProvider) get instrumented. + export WOLFSSL_CONFIG_CFLAGS="${WOLFSSL_CONFIG_CFLAGS:-} ${SAN_FLAGS}" + export WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS:-} ${SAN_FLAGS}" + + OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_ref }} \ + WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ + ./scripts/build-wolfprovider.sh + + - name: Run cmd-tests under sanitizers + run: | + source scripts/env-setup + ./scripts/cmd_test/do-cmd-tests.sh + + - name: Dump build/test logs on failure + if: ${{ failure() }} + run: | + for f in test-suite.log scripts/build-release.log scripts/build-debug.log; do + if [ -f "$f" ]; then + echo "=== $f (last 200 lines) ===" + tail -200 "$f" + fi + done diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 82e62efe..646e5408 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -25,7 +25,21 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + seed_src_test: + needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: SEED-SRC Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index a73ab602..8b41848a 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -25,12 +25,25 @@ concurrency: # END OF COMMON SECTION jobs: + wait_for_smoke: + name: Wait for smoke + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + runs-on: ubuntu-22.04 + timeout-minutes: 35 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - uses: ./.github/actions/wait-for-smoke + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml simple_test: - needs: discover_versions + needs: [wait_for_smoke, discover_versions] if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Simple Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index ecdd6de4..7de10ce5 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -1,50 +1,23 @@ name: Socat Tests -# START OF COMMON SECTION +# OSP integration test for Socat Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_socat: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] continue-on-error: true diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index ed7bad59..73267f22 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -1,50 +1,23 @@ name: sscep Tests -# START OF COMMON SECTION +# OSP integration test for sscep Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_sscep: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] timeout-minutes: 10 diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index eee0fc4c..0a4fdaf9 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -1,32 +1,19 @@ name: SSSD Tests -# START OF COMMON SECTION +# OSP integration test for SSSD Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: test_sssd: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 timeout-minutes: 20 container: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index b3580a88..d0fb4686 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -1,50 +1,23 @@ name: Stunnel Tests -# START OF COMMON SECTION +# OSP integration test for Stunnel Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_stunnel: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index c7edcb3d..ae9be83a 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -1,50 +1,23 @@ name: systemd Tests -# START OF COMMON SECTION +# OSP integration test for systemd Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: ['master', 'main', 'release/**'] - pull_request: - branches: ['*'] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_systemd: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] # This should be a safe limit for the tests to run. diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index d3c34114..d67b9419 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -1,47 +1,23 @@ name: tcpdump Tests +# OSP integration test for tcpdump Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -57,7 +33,6 @@ jobs: replace_default: [ true ] test_tcpdump: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] continue-on-error: true diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index cd3f5f6f..6d3161c5 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -1,50 +1,23 @@ name: tnftp Tests -# START OF COMMON SECTION +# OSP integration test for tnftp Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_tnftp: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 84a0a0f6..c5a272a7 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -1,50 +1,23 @@ name: tpm2-tools Tests -# START OF COMMON SECTION +# OSP integration test for tpm2-tools Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_tpm2_tools: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index a4c6029e..aff1995b 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -1,50 +1,23 @@ name: x11vnc Tests -# START OF COMMON SECTION +# OSP integration test for x11vnc Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: - needs: [wait_for_smoke, discover_versions] - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + needs: discover_versions uses: ./.github/workflows/build-wolfprovider.yml with: wolfssl_ref: ${{ matrix.wolfssl_ref }} @@ -60,7 +33,6 @@ jobs: replace_default: [ true ] test_x11vnc: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index c241964e..412973a1 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -1,20 +1,19 @@ name: xmlsec Tests -# START OF COMMON SECTION +# OSP integration test for xmlsec Tests. Runs nightly via the +# Nightly OSP Suite orchestrator (.github/workflows/nightly-osp.yml) +# or manually via workflow_dispatch. NOT triggered on PR/push -- +# PR CI focuses on smoke + simple + cheap internal checks. + on: - push: - branches: [ 'master', 'main', 'release/**' ] - #pull_request: - #branches: [ '*' ] + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION - jobs: discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml build_wolfprovider: From 2b2573db3d0d42392e66952a5ef8a91f6dbfcccc Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 13:47:13 -0700 Subject: [PATCH 14/26] ci: drop wait_for_smoke gates; PR workflows fire in parallel with smoke The wait_for_smoke job (composite action that polls Smoke Test on the PR head SHA) was forcing every other PR workflow to wait for smoke before kicking off. End result: smoke + multi-compiler + sanitizers were serialized when they could be parallel. What we wanted from this gate -- "don't burn CI on a broken build" -- isn't actually saving much. Smoke takes the same wall time as the shortest other workflow, and PR-mode draft-skip already prevents the sweep on WIP PRs. The gate was holding back the open-PR signal more than it was saving runner-minutes. Strip it everywhere: - simple, cmdline, fips-ready, openssl-version, seed-src, multi-compiler, sanitizers - the OSP workflows already had it removed in the nightly move. Draft-skip stays. Smoke itself still runs on PR -- it's just no longer a barrier in front of everything else. The .github/actions/wait-for-smoke composite action stays in the tree; nothing references it now, but it's small and harmless to keep around in case someone wants to opt a specific workflow back into it. --- .github/workflows/cmdline.yml | 14 -------------- .github/workflows/fips-ready.yml | 14 -------------- .github/workflows/multi-compiler.yml | 14 -------------- .github/workflows/openssl-version.yml | 15 +-------------- .github/workflows/sanitizers.yml | 15 +-------------- .github/workflows/seed-src.yml | 14 -------------- .github/workflows/simple.yml | 15 +-------------- 7 files changed, 3 insertions(+), 98 deletions(-) diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index a750025f..c09dd047 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -25,21 +25,7 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - cmdtest_test: - needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Command line test runs-on: ubuntu-22.04 diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index 3749b548..69fa42b5 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -25,21 +25,7 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - fips_ready_test: - needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: FIPS Ready Bundle Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index 12467296..366e8ba5 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -25,21 +25,7 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - build_wolfprovider: - needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Build with compiler ${{ matrix.CC }}, wolfssl ${{ matrix.wolfssl_ref }}, OpenSSL ${{ matrix.openssl_ref }} runs-on: ${{ matrix.OS }} diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 06474b26..69e5b7e0 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -25,25 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml openssl_version_test: - needs: [wait_for_smoke, discover_versions] + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false continue-on-error: true name: OpenSSL Version Test diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml index 25c6198f..17ed7707 100644 --- a/.github/workflows/sanitizers.yml +++ b/.github/workflows/sanitizers.yml @@ -35,25 +35,12 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml sanitizers: - needs: [wait_for_smoke, discover_versions] + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: ASan+UBSan (wolfSSL ${{ needs.discover_versions.outputs.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }}) runs-on: ubuntu-22.04 diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 646e5408..82e62efe 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -25,21 +25,7 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - seed_src_test: - needs: wait_for_smoke if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: SEED-SRC Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index 8b41848a..a73ab602 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -25,25 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: - wait_for_smoke: - name: Wait for smoke - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - runs-on: ubuntu-22.04 - timeout-minutes: 35 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - uses: ./.github/actions/wait-for-smoke - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - discover_versions: if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml simple_test: - needs: [wait_for_smoke, discover_versions] + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Simple Test runs-on: ubuntu-22.04 From fb034b6ab11aa2b7352c4438e7813a08c7517f8a Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 13:51:52 -0700 Subject: [PATCH 15/26] ci: test wolfSSL master + latest-stable everywhere via the resolver _discover-versions.yml now emits wolfssl_ref_array=["master",""] instead of a single-element array. Every matrix consumer of that output -- the 40 OSP workflows already use fromJson on it -- now iterates both refs. Wired wolfssl_ref into the matrix of the workflows that were still using the singular `outputs.wolfssl_ref`: - simple.yml: matrix gains wolfssl_ref (now 8 jobs / PR, was 4) - cmdline.yml: matrix.wolfssl_ref switches from ['v5.8.4-stable'] to the array form, also adds a discover_versions job - libtss2.yml: matrix.wolfssl_ref added; build step reads it - sanitizers.yml: matrix added so ASan+UBSan exercises both refs The singular `wolfssl_ref` output still resolves to latest-stable for the few non-matrix consumers (none currently, but the API stays backwards-compatible). Nightly OSP now runs every OSP workflow with master AND latest-stable in parallel, which is the load nightly was built to absorb. --- .github/workflows/_discover-versions.yml | 8 ++++++-- .github/workflows/cmdline.yml | 7 ++++++- .github/workflows/libtss2.yml | 3 ++- .github/workflows/sanitizers.yml | 9 +++++++-- .github/workflows/simple.yml | 7 ++++--- 5 files changed, 25 insertions(+), 9 deletions(-) diff --git a/.github/workflows/_discover-versions.yml b/.github/workflows/_discover-versions.yml index f82732ab..dc90f93a 100644 --- a/.github/workflows/_discover-versions.yml +++ b/.github/workflows/_discover-versions.yml @@ -66,12 +66,16 @@ jobs: fi OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//') - echo "wolfSSL latest -stable: $WOLFSSL" + echo "wolfSSL latest -stable: $WOLFSSL (also testing master)" echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)" + # Matrix consumers iterate the array form, so they exercise + # both master and the latest -stable tag every run. Singular + # `wolfssl_ref` (still the stable tag) is kept for the few + # remaining non-matrix consumers and shell-step interpolation. { echo "wolfssl_ref=$WOLFSSL" - echo "wolfssl_ref_array=[\"$WOLFSSL\"]" + echo "wolfssl_ref_array=[\"master\",\"$WOLFSSL\"]" echo "openssl_ref=openssl-$OSSL" echo "openssl_ref_array=[\"openssl-$OSSL\"]" } >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index c09dd047..626233c7 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -25,7 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + cmdtest_test: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: Command line test runs-on: ubuntu-22.04 @@ -34,7 +39,7 @@ jobs: fail-fast: false matrix: openssl_ref: [ 'master', 'openssl-3.5.0' ] - wolfssl_ref: [ 'v5.8.4-stable' ] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} debug: ['WOLFPROV_DEBUG=1', ''] # force_fail collapsed into sequential test runs below steps: diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index cb2d02ce..09330df1 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -28,6 +28,7 @@ jobs: fail-fast: false matrix: tpm2_tss_ref: [ '4.1.3'] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: [ 'openssl-3.5.4' ] replace_default: [ true ] env: @@ -53,7 +54,7 @@ jobs: - name: Build wolfProvider run: | OPENSSL_TAG=${{ matrix.openssl_ref }} \ - WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ + WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh - name: Checkout tpm2-tss diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml index 17ed7707..2cc6b0e6 100644 --- a/.github/workflows/sanitizers.yml +++ b/.github/workflows/sanitizers.yml @@ -42,10 +42,15 @@ jobs: sanitizers: needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - name: ASan+UBSan (wolfSSL ${{ needs.discover_versions.outputs.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }}) + name: ASan+UBSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }}) runs-on: ubuntu-22.04 # Sanitizers add ~2-3x to build/test time vs. a plain build. timeout-minutes: 45 + strategy: + fail-fast: false + matrix: + # Test master + latest-stable (resolved at run time). + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} env: # Surface every report. halt_on_error=1 fails the first time we # touch UB so we don't drown in cascades. @@ -83,7 +88,7 @@ jobs: export WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS:-} ${SAN_FLAGS}" OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_ref }} \ - WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ + WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh - name: Run cmd-tests under sanitizers diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index a73ab602..b505aafe 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -38,8 +38,9 @@ jobs: strategy: fail-fast: false matrix: - # PR matrix: latest-stable wolfssl (resolved at runtime) + newest 3.5 - # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs. + # 2 wolfssl (master + latest-stable, resolved at run time) x + # newest 3.5 and oldest 3.0 OpenSSL x 2 replace-default = 8 jobs. + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: [ 'openssl-3.5.4', 'openssl-3.0.17'] @@ -57,7 +58,7 @@ jobs: - name: Build and test wolfProvider run: | OPENSSL_TAG=${{ matrix.openssl_ref }} \ - WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \ + WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }} - name: Print errors From 47441e17199d143f73088a90dee9293d82cfb47c Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 13:55:45 -0700 Subject: [PATCH 16/26] ci: resolve OpenSSL latest upstream tag too; use it on source-built workflows _discover-versions.yml now resolves a third version too: openssl_latest_ref e.g. openssl-3.5.4 openssl_latest_ref_array e.g. ["openssl-3.5.4"] Sourced from upstream openssl/openssl via git ls-remote, filtered to release-shaped tags (^openssl-3\.[0-9]+\.[0-9]+$ -- no -alpha/-beta/-pre). Wired into the workflows that build OpenSSL from source and had been pinning a "latest" version by hand: - simple.yml newest slot was openssl-3.5.4 - libtss2.yml was openssl-3.5.4 - sanitizers.yml was using openssl_ref (Bookworm 3.0.20!) - smoke-test.yml was openssl-3.5.4 - cmdline.yml was openssl-3.5.0 - fips-ready.yml was openssl-3.5.0 - seed-src.yml newest slot was openssl-3.5.4 (also added discover_versions) Untouched on purpose: - the OSP workflows that consume the wolfprov .deb (openssl_ref stays as Bookworm 3.0.20 -- that's what the .deb actually carries) - openssl-version.yml's matrix (its whole job is to sweep specific versions, not always-latest) - the "oldest LTS" slots (openssl-3.0.17) in simple.yml and seed-src.yml -- those still exercise the older series intentionally. The user-facing diff is small for now (3.5.4 was already the upstream latest), but next release the matrix labels track upstream automatically. --- .github/workflows/_discover-versions.yml | 39 ++++++++++++++++++------ .github/workflows/cmdline.yml | 4 ++- .github/workflows/fips-ready.yml | 7 ++++- .github/workflows/libtss2.yml | 2 +- .github/workflows/sanitizers.yml | 4 +-- .github/workflows/seed-src.yml | 15 +++++---- .github/workflows/simple.yml | 9 +++--- .github/workflows/smoke-test.yml | 8 ++--- 8 files changed, 59 insertions(+), 29 deletions(-) diff --git a/.github/workflows/_discover-versions.yml b/.github/workflows/_discover-versions.yml index dc90f93a..a4eb8540 100644 --- a/.github/workflows/_discover-versions.yml +++ b/.github/workflows/_discover-versions.yml @@ -15,17 +15,23 @@ on: workflow_call: outputs: wolfssl_ref: - description: 'Plain string, e.g. v5.8.4-stable' + description: 'Plain string, latest -stable e.g. v5.8.4-stable' value: ${{ jobs.discover.outputs.wolfssl_ref }} wolfssl_ref_array: - description: 'JSON array for matrix use, e.g. ["v5.8.4-stable"]' + description: 'JSON array of master + latest -stable for matrix use' value: ${{ jobs.discover.outputs.wolfssl_ref_array }} openssl_ref: - description: 'Plain string, e.g. openssl-3.0.20' + description: 'Plain string. Bookworm stock OpenSSL (matches the wolfprov .deb).' value: ${{ jobs.discover.outputs.openssl_ref }} openssl_ref_array: - description: 'JSON array for matrix use, e.g. ["openssl-3.0.20"]' + description: 'JSON array form of openssl_ref' value: ${{ jobs.discover.outputs.openssl_ref_array }} + openssl_latest_ref: + description: 'Plain string, latest upstream openssl-3.x.y release tag (e.g. openssl-3.5.4)' + value: ${{ jobs.discover.outputs.openssl_latest_ref }} + openssl_latest_ref_array: + description: 'JSON array form of openssl_latest_ref' + value: ${{ jobs.discover.outputs.openssl_latest_ref_array }} jobs: discover: @@ -37,6 +43,8 @@ jobs: wolfssl_ref_array: ${{ steps.resolve.outputs.wolfssl_ref_array }} openssl_ref: ${{ steps.resolve.outputs.openssl_ref }} openssl_ref_array: ${{ steps.resolve.outputs.openssl_ref_array }} + openssl_latest_ref: ${{ steps.resolve.outputs.openssl_latest_ref }} + openssl_latest_ref_array: ${{ steps.resolve.outputs.openssl_latest_ref_array }} steps: - name: Resolve versions id: resolve @@ -51,7 +59,7 @@ jobs: exit 1 fi - # ---- OpenSSL: whatever Debian Bookworm apt-resolves to ---- + # ---- OpenSSL (Debian Bookworm stock) ---- # The wolfprov-patched .deb on ghcr.io is built by patching # Bookworm's stock libssl3 source, so this is the actual # OpenSSL the Debian-container workflows end up linking against. @@ -66,16 +74,29 @@ jobs: fi OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//') + # ---- OpenSSL (latest upstream release tag) ---- + # Used by workflows that build OpenSSL from source -- they + # don't care about Bookworm's apt version; they want what + # upstream openssl/openssl currently ships. We accept only + # release-shaped tags (openssl-X.Y.Z), no -alpha/-beta/-pre. + OSSL_LATEST=$(git ls-remote --tags --refs https://github.com/openssl/openssl.git 'openssl-3.*' \ + | awk -F/ '{print $NF}' \ + | grep -E '^openssl-3\.[0-9]+\.[0-9]+$' \ + | sort -V | tail -n 1) + if [ -z "${OSSL_LATEST:-}" ]; then + echo "::error::Could not resolve latest upstream OpenSSL tag" + exit 1 + fi + echo "wolfSSL latest -stable: $WOLFSSL (also testing master)" echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)" + echo "Upstream OpenSSL latest: $OSSL_LATEST" - # Matrix consumers iterate the array form, so they exercise - # both master and the latest -stable tag every run. Singular - # `wolfssl_ref` (still the stable tag) is kept for the few - # remaining non-matrix consumers and shell-step interpolation. { echo "wolfssl_ref=$WOLFSSL" echo "wolfssl_ref_array=[\"master\",\"$WOLFSSL\"]" echo "openssl_ref=openssl-$OSSL" echo "openssl_ref_array=[\"openssl-$OSSL\"]" + echo "openssl_latest_ref=$OSSL_LATEST" + echo "openssl_latest_ref_array=[\"$OSSL_LATEST\"]" } >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml index 626233c7..8e49a38b 100644 --- a/.github/workflows/cmdline.yml +++ b/.github/workflows/cmdline.yml @@ -38,7 +38,9 @@ jobs: strategy: fail-fast: false matrix: - openssl_ref: [ 'master', 'openssl-3.5.0' ] + openssl_ref: + - master + - ${{ needs.discover_versions.outputs.openssl_latest_ref }} wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} debug: ['WOLFPROV_DEBUG=1', ''] # force_fail collapsed into sequential test runs below diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml index 69fa42b5..8e8560c1 100644 --- a/.github/workflows/fips-ready.yml +++ b/.github/workflows/fips-ready.yml @@ -25,7 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + fips_ready_test: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: FIPS Ready Bundle Test runs-on: ubuntu-22.04 @@ -34,7 +39,7 @@ jobs: fail-fast: false matrix: wolfssl_bundle_ref: [ '5.8.2' ] - openssl_ref: [ 'openssl-3.5.0' ] + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_latest_ref_array) }} # force_fail collapsed into sequential runs in the test step steps: - name: Checkout wolfProvider diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 09330df1..b772a76c 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -29,7 +29,7 @@ jobs: matrix: tpm2_tss_ref: [ '4.1.3'] wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} - openssl_ref: [ 'openssl-3.5.4' ] + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_latest_ref_array) }} replace_default: [ true ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml index 2cc6b0e6..b61274dc 100644 --- a/.github/workflows/sanitizers.yml +++ b/.github/workflows/sanitizers.yml @@ -42,7 +42,7 @@ jobs: sanitizers: needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false - name: ASan+UBSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }}) + name: ASan+UBSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_latest_ref }}) runs-on: ubuntu-22.04 # Sanitizers add ~2-3x to build/test time vs. a plain build. timeout-minutes: 45 @@ -87,7 +87,7 @@ jobs: export WOLFSSL_CONFIG_CFLAGS="${WOLFSSL_CONFIG_CFLAGS:-} ${SAN_FLAGS}" export WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS:-} ${SAN_FLAGS}" - OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_ref }} \ + OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \ WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \ ./scripts/build-wolfprovider.sh diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml index 82e62efe..ef21bbeb 100644 --- a/.github/workflows/seed-src.yml +++ b/.github/workflows/seed-src.yml @@ -25,7 +25,12 @@ concurrency: # END OF COMMON SECTION jobs: + discover_versions: + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + uses: ./.github/workflows/_discover-versions.yml + seed_src_test: + needs: discover_versions if: github.event_name != 'pull_request' || github.event.pull_request.draft == false name: SEED-SRC Test runs-on: ubuntu-22.04 @@ -33,12 +38,10 @@ jobs: strategy: fail-fast: false matrix: - wolfssl_ref: [ - 'master', - 'v5.8.4-stable'] - openssl_ref: [ - 'openssl-3.5.4', - 'openssl-3.0.17'] + wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} + openssl_ref: + - ${{ needs.discover_versions.outputs.openssl_latest_ref }} + - openssl-3.0.17 steps: - name: Checkout wolfProvider diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index b505aafe..c55e25c2 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -39,11 +39,12 @@ jobs: fail-fast: false matrix: # 2 wolfssl (master + latest-stable, resolved at run time) x - # newest 3.5 and oldest 3.0 OpenSSL x 2 replace-default = 8 jobs. + # 2 openssl (latest upstream, resolved at run time, plus oldest + # still-maintained 3.0.x) x 2 replace-default = 8 jobs. wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} - openssl_ref: [ - 'openssl-3.5.4', - 'openssl-3.0.17'] + openssl_ref: + - ${{ needs.discover_versions.outputs.openssl_latest_ref }} + - openssl-3.0.17 debug: [''] replace_default: [ '', diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index bf34eaa9..ea1a2b60 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -45,12 +45,10 @@ jobs: fail-fast: false matrix: include: - - name: master/openssl-3.5 + - name: master/openssl-latest wolfssl_ref: master - openssl_ref: openssl-3.5.4 - - name: stable/openssl-3.5 + - name: stable/openssl-latest wolfssl_ref: '' # filled in from needs.discover_versions - openssl_ref: openssl-3.5.4 steps: - name: Checkout wolfProvider @@ -62,7 +60,7 @@ jobs: run: | # Substitute the resolved latest-stable for the "stable" matrix row. WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.wolfssl_ref }}" - OPENSSL_TAG=${{ matrix.openssl_ref }} \ + OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \ WOLFSSL_TAG="$WOLFSSL_TAG" \ ./scripts/build-wolfprovider.sh From 38f73c2655c49e6c95071163b93fc008649a89b5 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:01:47 -0700 Subject: [PATCH 17/26] ci: make openssl-version.yml track upstream releases dynamically Replace the 46-line static list of openssl-3.x.y matrix entries with an output from _discover-versions.yml that resolves the complete set of upstream release-shaped tags at run time. New resolver output: openssl_all_releases_array. Implementation: git ls-remote --tags --refs https://github.com/openssl/openssl.git | grep -E '^openssl-3\.[0-9]+\.[0-9]+$' # strip alphas/betas | sort -V | awk '/^openssl-3\.0\.3$/ {p=1} p' # floor at historical # oldest in the static list The floor is important: upstream actually tags openssl-3.0.0, openssl-3.0.1, openssl-3.0.2, but the previous static matrix intentionally excluded those. Preserve that exclusion so we don't silently regress into running those versions. Net effect today vs. the static matrix: - same 46 entries the static list had, plus everything upstream has shipped since (openssl-3.5.5, openssl-3.6.1, openssl-3.6.2, etc.). Confirmed locally: 58 tags currently. - the highest entry (`openssl_latest_ref`, used by source-build workflows in the previous commit) is now openssl-3.6.2 today rather than openssl-3.5.4, which the previous resolver topped at by mistake (.5.x is the latest 3.5 patch, not the latest release). continue-on-error stays true on the openssl_version_test job, so a broken openssl release tag doesn't fail the workflow. --- .github/workflows/_discover-versions.yml | 38 ++++++++++++----- .github/workflows/openssl-version.yml | 52 ++---------------------- 2 files changed, 31 insertions(+), 59 deletions(-) diff --git a/.github/workflows/_discover-versions.yml b/.github/workflows/_discover-versions.yml index a4eb8540..0dcada65 100644 --- a/.github/workflows/_discover-versions.yml +++ b/.github/workflows/_discover-versions.yml @@ -32,6 +32,9 @@ on: openssl_latest_ref_array: description: 'JSON array form of openssl_latest_ref' value: ${{ jobs.discover.outputs.openssl_latest_ref_array }} + openssl_all_releases_array: + description: 'JSON array of every upstream openssl-3.X.Y release tag, sorted ascending. Used by openssl-version.yml so the sweep tracks upstream automatically.' + value: ${{ jobs.discover.outputs.openssl_all_releases_array }} jobs: discover: @@ -45,6 +48,7 @@ jobs: openssl_ref_array: ${{ steps.resolve.outputs.openssl_ref_array }} openssl_latest_ref: ${{ steps.resolve.outputs.openssl_latest_ref }} openssl_latest_ref_array: ${{ steps.resolve.outputs.openssl_latest_ref_array }} + openssl_all_releases_array: ${{ steps.resolve.outputs.openssl_all_releases_array }} steps: - name: Resolve versions id: resolve @@ -74,23 +78,34 @@ jobs: fi OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//') - # ---- OpenSSL (latest upstream release tag) ---- - # Used by workflows that build OpenSSL from source -- they - # don't care about Bookworm's apt version; they want what - # upstream openssl/openssl currently ships. We accept only - # release-shaped tags (openssl-X.Y.Z), no -alpha/-beta/-pre. - OSSL_LATEST=$(git ls-remote --tags --refs https://github.com/openssl/openssl.git 'openssl-3.*' \ - | awk -F/ '{print $NF}' \ - | grep -E '^openssl-3\.[0-9]+\.[0-9]+$' \ - | sort -V | tail -n 1) - if [ -z "${OSSL_LATEST:-}" ]; then - echo "::error::Could not resolve latest upstream OpenSSL tag" + # ---- OpenSSL (all upstream release tags, sorted) ---- + # Used by openssl-version.yml so the sweep tracks upstream + # automatically as new releases ship. Release-shaped only: + # openssl-X.Y.Z, no -alpha/-beta/-pre. Floored at the + # historical oldest-supported version below so we don't + # silently re-introduce coverage of openssl-3.0.0/3.0.1/3.0.2 + # that the static matrix used to exclude. + OSSL_FLOOR="openssl-3.0.3" + OSSL_ALL=$(git ls-remote --tags --refs https://github.com/openssl/openssl.git 'openssl-3.*' \ + | awk -F/ '{print $NF}' \ + | grep -E '^openssl-3\.[0-9]+\.[0-9]+$' \ + | sort -V \ + | awk -v floor="$OSSL_FLOOR" '$0 == floor {p=1} p') + if [ -z "${OSSL_ALL:-}" ]; then + echo "::error::Could not resolve upstream OpenSSL release tags (floor=$OSSL_FLOOR)" exit 1 fi + # JSON array. jq -R reads each line as a string, -s collects + # them into an array, -c emits compact single-line JSON. + OSSL_ALL_JSON=$(printf '%s\n' "$OSSL_ALL" | jq -R . | jq -s -c .) + # Highest version (last after sort -V) is the resolved + # "latest" used by source-built workflows. + OSSL_LATEST=$(echo "$OSSL_ALL" | tail -n 1) echo "wolfSSL latest -stable: $WOLFSSL (also testing master)" echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)" echo "Upstream OpenSSL latest: $OSSL_LATEST" + echo "Upstream OpenSSL releases ($(echo "$OSSL_ALL" | wc -l) tags)" { echo "wolfssl_ref=$WOLFSSL" @@ -99,4 +114,5 @@ jobs: echo "openssl_ref_array=[\"openssl-$OSSL\"]" echo "openssl_latest_ref=$OSSL_LATEST" echo "openssl_latest_ref_array=[\"$OSSL_LATEST\"]" + echo "openssl_all_releases_array=$OSSL_ALL_JSON" } >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 69e5b7e0..d2871052 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -40,54 +40,10 @@ jobs: fail-fast: false matrix: wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} - openssl_ref: [ - 'openssl-3.0.3', - 'openssl-3.0.5', - 'openssl-3.0.6', - 'openssl-3.0.7', - 'openssl-3.0.8', - 'openssl-3.0.9', - 'openssl-3.0.10', - 'openssl-3.0.11', - 'openssl-3.0.12', - 'openssl-3.0.13', - 'openssl-3.0.14', - 'openssl-3.0.15', - 'openssl-3.0.16', - 'openssl-3.0.17', - 'openssl-3.0.18', - 'openssl-3.1.0', - 'openssl-3.1.1', - 'openssl-3.1.2', - 'openssl-3.1.3', - 'openssl-3.1.4', - 'openssl-3.1.5', - 'openssl-3.1.6', - 'openssl-3.1.7', - 'openssl-3.1.8', - 'openssl-3.2.0', - 'openssl-3.2.1', - 'openssl-3.2.2', - 'openssl-3.2.3', - 'openssl-3.2.4', - 'openssl-3.2.5', - 'openssl-3.2.6', - 'openssl-3.3.0', - 'openssl-3.3.1', - 'openssl-3.3.2', - 'openssl-3.3.3', - 'openssl-3.3.4', - 'openssl-3.3.5', - 'openssl-3.4.0', - 'openssl-3.4.1', - 'openssl-3.4.2', - 'openssl-3.4.3', - 'openssl-3.5.0', - 'openssl-3.5.1', - 'openssl-3.5.2', - 'openssl-3.5.3', - 'openssl-3.5.4', - 'openssl-3.6.0'] + # Every upstream openssl-3.X.Y release tag, resolved at run time + # by _discover-versions.yml. New release ships -> next run picks + # it up automatically; no PR needed to track the latest patch. + openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_all_releases_array) }} steps: - name: Checkout wolfProvider uses: actions/checkout@v4 From 328bb0f939f59948d74e53d097dc6410ff2cf025 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:06:09 -0700 Subject: [PATCH 18/26] ci: openssl-version.yml moves to nightly (58 versions is too much per PR) The dynamic resolver turned openssl-version.yml's matrix into ~58 upstream openssl-3.X.Y releases x 2 wolfssl refs = ~116 jobs. That's the load nightly was built to absorb, not something to fire on every push. - openssl-version.yml: on: { workflow_call, workflow_dispatch } (was push + pull_request). The `if: github.event.pull_request.draft` guards are removed -- workflow_call inherits caller context. - nightly-osp.yml: added openssl-version to both the dispatch list and the notify job's `needs:` so it shows up in the Slack summary alongside the OSP integration results. PR-side OpenSSL coverage stays adequate via simple.yml: wolfssl_ref: master + latest-stable (resolved dynamically) openssl_ref: openssl_latest_ref + openssl-3.0.17 2 x 2 = 4 combos x 2 replace_default = 8 jobs. Exercises latest upstream and the oldest still-maintained 3.0.x LTS, against both wolfssl master and the latest -stable tag, on every PR. The full 58-version sweep runs once a night. --- .github/workflows/nightly-osp.yml | 3 +++ .github/workflows/openssl-version.yml | 31 ++++++++++----------------- .github/workflows/simple.yml | 4 ++-- 3 files changed, 16 insertions(+), 22 deletions(-) diff --git a/.github/workflows/nightly-osp.yml b/.github/workflows/nightly-osp.yml index e679425e..3c99bf0d 100644 --- a/.github/workflows/nightly-osp.yml +++ b/.github/workflows/nightly-osp.yml @@ -73,6 +73,8 @@ jobs: tpm2-tools: { uses: ./.github/workflows/tpm2-tools.yml } x11vnc: { uses: ./.github/workflows/x11vnc.yml } xmlsec: { uses: ./.github/workflows/xmlsec.yml } + # Internal sweep: every upstream openssl-3.X.Y release tag. + openssl-version: { uses: ./.github/workflows/openssl-version.yml } notify: name: Slack notification @@ -117,6 +119,7 @@ jobs: - tpm2-tools - x11vnc - xmlsec + - openssl-version if: always() runs-on: ubuntu-latest # Job-level env so step `if:` blocks can see SLACK_WEBHOOK_URL -- diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index d2871052..8596b154 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -1,37 +1,28 @@ name: OpenSSL Version Tests -# START OF COMMON SECTION +# Full sweep across every upstream openssl-3.X.Y release tag, resolved +# at run time by _discover-versions.yml. ~58 versions x 2 wolfssl refs +# = ~116 jobs, which is nightly-shaped work, not per-PR. +# +# Runs nightly via the Nightly OSP Suite orchestrator +# (.github/workflows/nightly-osp.yml) or manually via workflow_dispatch. +# PR-side OpenSSL coverage comes from simple.yml (newest upstream + +# oldest 3.0.x LTS, against master + latest-stable wolfssl). + on: - push: - branches: [ 'master', 'main', 'release/**' ] - pull_request: - branches: [ '*' ] - types: [opened, synchronize, reopened, ready_for_review] - paths-ignore: - - '**.md' - - 'docs/**' - - 'LICENSE*' - - '.github/ISSUE_TEMPLATE/**' - - '.github/dependabot.yml' - - '.gitignore' - - 'AUTHORS' - - 'COPYING' - - 'README*' - - 'CHANGELOG*' + workflow_call: {} + workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# END OF COMMON SECTION jobs: discover_versions: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false uses: ./.github/workflows/_discover-versions.yml openssl_version_test: needs: discover_versions - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false continue-on-error: true name: OpenSSL Version Test runs-on: ubuntu-22.04 diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index c55e25c2..24ae34f6 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -39,8 +39,8 @@ jobs: fail-fast: false matrix: # 2 wolfssl (master + latest-stable, resolved at run time) x - # 2 openssl (latest upstream, resolved at run time, plus oldest - # still-maintained 3.0.x) x 2 replace-default = 8 jobs. + # 2 openssl (latest upstream release + oldest 3.0.x LTS) + # x 2 replace-default = 8 jobs. wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }} openssl_ref: - ${{ needs.discover_versions.outputs.openssl_latest_ref }} From f8ccb5100c8425fe9766c3a9449851b1456013d6 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:11:11 -0700 Subject: [PATCH 19/26] ci: fix sssd matrix parser error -- remove dead force_fail exclude After Phase B collapsed force_fail off the matrix axis, sssd.yml was left with: matrix: sssd_ref: [ '2.9.1' ] wolfssl_ref: [ 'master', 'v5.8.0-stable' ] ... exclude: - sssd_ref: 'master' force_fail: 'WOLFPROV_FORCE_FAIL=1' force_fail isn't a matrix key anymore, so the parser rejected the exclude with: Matrix exclude key 'force_fail' does not match any key within the matrix (which is what HTTP 422 from `gh workflow run nightly-osp.yml` was surfacing -- the orchestrator couldn't load this reusable workflow). The exclude was also dead code on master: there's no sssd_ref=master in the matrix, only '2.9.1'. The intended skip was wolfssl_ref=master + force_fail (sssd is known-broken under WPFF when built against wolfssl master). Express that intent inline in the test step: skip the force-fail round when wolfssl_ref=master. --- .github/workflows/sssd.yml | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 0a4fdaf9..9d4bddb5 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -26,9 +26,10 @@ jobs: sssd_ref: [ '2.9.1' ] wolfssl_ref: [ 'master', 'v5.8.0-stable' ] openssl_ref: [ 'openssl-3.5.0' ] - exclude: - - sssd_ref: 'master' - force_fail: 'WOLFPROV_FORCE_FAIL=1' + # NOTE: previously this matrix excluded sssd_ref=master + force_fail=1. + # force_fail is no longer a matrix axis (collapsed into sequential + # steps below). The skip is now expressed inline in the test step + # via `if [ "$SSSD_REF" = "master" ]`. steps: - name: Checkout wolfProvider uses: actions/checkout@v4 @@ -97,6 +98,19 @@ jobs: $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" sssd # --- force-fail mode --- + # The original matrix had: + # exclude: + # - sssd_ref: 'master' + # force_fail: 'WOLFPROV_FORCE_FAIL=1' + # but sssd_ref never had a 'master' value, so that exclude + # was dead code. The intended skip is wolfssl_ref=master x + # force_fail (sssd hangs/breaks under WPFF on wolfssl master). + # Skip the force-fail round when wolfssl_ref=master to match + # that intent. + if [ "${{ matrix.wolfssl_ref }}" = "master" ]; then + echo "Skipping force-fail round for wolfssl_ref=master" + exit 0 + fi export WOLFPROV_FORCE_FAIL=1 set +e make check 2>&1 | tee sssd-test.log From f1fbf99ae93d1b33af19386fc58bba5ee30751d6 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:13:04 -0700 Subject: [PATCH 20/26] ci: drop concurrency: from OSP workflows -- caused mass cancellation Symptom: gh workflow run nightly-osp.yml fired all 41 OSP workflows but most got "cancelled" within seconds of starting. Only the last few to start (libtss2, openssl-version) actually ran. Root cause: each OSP workflow has concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true For workflow_call'd reusable workflows, github.workflow evaluates to the CALLER's workflow name -- "Nightly OSP Suite" for everything the orchestrator fans out. Result: all 41 workflows share the same concurrency group "Nightly OSP Suite-refs/heads/ci-draft-pause" with cancel-in-progress:true, so each new OSP that started cancelled all the OSPs that had already started. The OSP workflows no longer have push/pull_request triggers (workflow_call + workflow_dispatch only), so their own concurrency control isn't needed -- the nightly-osp.yml orchestrator's own `concurrency: nightly-osp` handles repeat full-suite runs. Stripped the top-level concurrency block from all 41 reusable workflows (40 OSPs + openssl-version). --- .github/workflows/bind9.yml | 3 --- .github/workflows/cjose.yml | 3 --- .github/workflows/curl.yml | 3 --- .github/workflows/debian-package.yml | 3 --- .github/workflows/git-ssh-dr.yml | 3 --- .github/workflows/grpc.yml | 3 --- .github/workflows/hostap.yml | 3 --- .github/workflows/iperf.yml | 3 --- .github/workflows/krb5.yml | 3 --- .github/workflows/libcryptsetup.yml | 3 --- .github/workflows/libeac3.yml | 3 --- .github/workflows/libfido2.yml | 3 --- .github/workflows/libhashkit2.yml | 3 --- .github/workflows/libnice.yml | 3 --- .github/workflows/liboauth2.yml | 3 --- .github/workflows/librelp.yml | 3 --- .github/workflows/libssh2.yml | 3 --- .github/workflows/libtss2.yml | 3 --- .github/workflows/libwebsockets.yml | 3 --- .github/workflows/net-snmp.yml | 3 --- .github/workflows/nginx.yml | 3 --- .github/workflows/openldap.yml | 3 --- .github/workflows/opensc.yml | 3 --- .github/workflows/openssh.yml | 3 --- .github/workflows/openssl-version.yml | 4 ---- .github/workflows/openvpn.yml | 3 --- .github/workflows/pam-pkcs11.yml | 3 --- .github/workflows/ppp.yml | 3 --- .github/workflows/python3-ntp.yml | 3 --- .github/workflows/qt5network5.yml | 3 --- .github/workflows/rsync.yml | 3 --- .github/workflows/socat.yml | 3 --- .github/workflows/sscep.yml | 3 --- .github/workflows/sssd.yml | 3 --- .github/workflows/stunnel.yml | 3 --- .github/workflows/systemd.yml | 3 --- .github/workflows/tcpdump.yml | 3 --- .github/workflows/tnftp.yml | 3 --- .github/workflows/tpm2-tools.yml | 3 --- .github/workflows/x11vnc.yml | 3 --- .github/workflows/xmlsec.yml | 3 --- 41 files changed, 124 deletions(-) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 229fadc2..f8198b38 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index f6d96220..7fb28861 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index d4cd881e..585548a4 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 70e87ba6..dbbbf926 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 0f2248dd..0cc70f56 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 3a77b524..5f363e00 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index a0cb0a72..6a46ce3b 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 9200341f..53d1dbb0 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 9e724565..0434de0f 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index ed96fef6..00405567 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index c67f5a3b..1daa5408 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 768979a1..845667ad 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index 4f78eaf2..c0d43ba7 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index 512aefb4..ee26aa44 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index b397f36d..cb5cfe57 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index f7deced0..874fc184 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 05ddfc50..8ce2c509 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index b772a76c..9993548f 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 67ed9519..c2700fbf 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index e40eaee7..83fb7b4c 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 0ba24058..6fb9c2c5 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index f95311b0..edb578ac 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index 2e286ff4..b11ca2da 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index d940a643..063fb01b 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml index 8596b154..a3b0c514 100644 --- a/.github/workflows/openssl-version.yml +++ b/.github/workflows/openssl-version.yml @@ -13,10 +13,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 1c19a2cf..952f9fb1 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index e7851b12..3340984b 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index b231c022..18ad6975 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 608f1f3e..11aeb9da 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index ea93cb7b..7637a030 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 33cb1d3d..87095a04 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 7de10ce5..f625aca3 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index 73267f22..c19f09ea 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 9d4bddb5..506ff782 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: test_sssd: runs-on: ubuntu-22.04 diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index d0fb4686..7471f735 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index ae9be83a..e49eeab3 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index d67b9419..15ff509c 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 6d3161c5..656b104a 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index c5a272a7..029c8f0c 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index aff1995b..4f5b350d 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 412973a1..ce50ef64 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -9,9 +9,6 @@ on: workflow_call: {} workflow_dispatch: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true jobs: discover_versions: uses: ./.github/workflows/_discover-versions.yml From 1d706582efcec2cddc224ce71c21b3342b8ec27f Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:17:37 -0700 Subject: [PATCH 21/26] ci: drop fork guard on ghcr ORAS pull -- prevented nightly on forks build-wolfprovider.yml gated its `Login to ghcr.io` and `Download pre-built packages from ghcr.io` steps on `github.repository == 'wolfSSL/wolfProvider'`. On a fork run (aidangarske/wolfProvider firing nightly-osp.yml), that condition is false, so the .deb pull was silently skipped, the package directories stayed empty, `dpkg -i .../*.deb` was a no-op, and wolfprov's configure failed with "could not locate wolfSSL". The published .debs (ghcr.io/wolfssl/wolfprovider/debs:*) are public, so anonymous pulls work regardless of which repo's CI is running. Drop the fork guard. Login is best-effort (continue-on-error: true) -- it helps rate limits when a token is available, but anonymous pulls keep working for forks without write-scope tokens against wolfssl's namespace. Also use github.actor for the login username instead of github.repository_owner so the token's actual user is used (matters on fork runs where repository_owner is the fork owner, not the actor). --- .github/workflows/build-wolfprovider.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-wolfprovider.yml b/.github/workflows/build-wolfprovider.yml index 5d6d81a8..e6fc6065 100644 --- a/.github/workflows/build-wolfprovider.yml +++ b/.github/workflows/build-wolfprovider.yml @@ -109,16 +109,20 @@ jobs: rm -f "oras_${ORAS_VERSION}_linux_amd64.tar.gz" "$GITHUB_WORKSPACE/.bin/oras" version + # The wolfprov debs at ghcr.io/wolfssl/wolfprovider/debs:* are + # public, so login is best-effort: it helps rate-limits when the + # caller has a token, but anonymous pulls still work for forks. - name: Login to ghcr.io - if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' + if: steps.check_artifact.outcome != 'success' + continue-on-error: true run: | echo "${{ secrets.GITHUB_TOKEN }}" | oras login \ - --username ${{ github.repository_owner }} \ + --username ${{ github.actor }} \ --password-stdin ghcr.io # ── Debian build: pull .deb packages from ghcr.io ── - name: Download pre-built packages from ghcr.io - if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'debian' + if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian' run: | mkdir -p ${{ env.WOLFSSL_PACKAGES_PATH }} mkdir -p ${{ env.OPENSSL_PACKAGES_PATH }} @@ -198,7 +202,7 @@ jobs: done - name: Download WIC images from ghcr.io - if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'yocto' + if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'yocto' run: | mkdir -p ${{ env.YOCTO_IMAGES_PATH }} From 98876f3d7e62adb4f60d9edd981e43e9f593586e Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:25:58 -0700 Subject: [PATCH 22/26] ci: publish-test-deps-image.yml: auto-mark package public after push Default ghcr visibility for a newly-created container package is private. That breaks fork-CI runs (the consumer workflows on aidangarske/wolfProvider can't pull the image from ghcr.io/aidangarske/wolfprovider-test-deps because the fork's GITHUB_TOKEN doesn't authorize cross-namespace reads). Add a Mark-package-public step after the build/push that PATCHes visibility=public: - Detects whether github.repository_owner is an Organization or User and hits the right endpoint: orgs/wolfSSL/packages/container/wolfprovider-test-deps user/packages/container/wolfprovider-test-deps - Uses GH_PACKAGES_ADMIN_TOKEN if the repo has it (a PAT with admin:packages scope), else falls back to GITHUB_TOKEN. The fallback may not have enough scope on first creation; if so the step is `continue-on-error: true` so the publish itself still succeeds and the visibility just needs to be flipped manually once via the GitHub UI. After that, the package is public and future runs are no-ops. Skipped on fork PRs (same as the push step) -- no perms to flip visibility on a remote repo's namespace. --- .github/workflows/publish-test-deps-image.yml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml index 6c1d9574..abb5c35d 100644 --- a/.github/workflows/publish-test-deps-image.yml +++ b/.github/workflows/publish-test-deps-image.yml @@ -63,6 +63,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push image + id: build uses: docker/build-push-action@v6 with: context: docker/wolfprovider-test-deps @@ -74,3 +75,43 @@ jobs: ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }} cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm cache-to: type=inline + + # Default ghcr visibility for a newly-created package is `private`. + # Force it to `public` so consumer workflows can pull anonymously + # (fork PRs running in upstream context don't have org-scope tokens + # against the fork's ghcr namespace). Idempotent on subsequent + # pushes -- the package stays public until manually toggled. + # + # NB: the REST PATCH below uses the GITHUB_TOKEN. Org-scope packages + # (ghcr.io/wolfssl/...) require the workflow's `permissions:` block + # to grant `packages: write`, which is already set at the top of + # this file. continue-on-error so a token-scope edge case doesn't + # fail the publish itself -- the push already happened. + - name: Mark package public + if: steps.build.conclusion == 'success' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) + continue-on-error: true + env: + GH_TOKEN: ${{ secrets.GH_PACKAGES_ADMIN_TOKEN || secrets.GITHUB_TOKEN }} + OWNER: ${{ steps.owner.outputs.lc }} + # The owner GitHub returns may have org-vs-user account type. + # We detect at run time and call the right endpoint. + REPO_OWNER_RAW: ${{ github.repository_owner }} + run: | + set -euo pipefail + # Figure out whether OWNER is an org or a user. /users/ works + # for both, but /orgs//packages/... is the right path for orgs. + OWNER_TYPE=$(gh api "/users/${REPO_OWNER_RAW}" --jq '.type') + echo "Owner '${REPO_OWNER_RAW}' type: ${OWNER_TYPE}" + + if [ "$OWNER_TYPE" = "Organization" ]; then + ENDPOINT="/orgs/${REPO_OWNER_RAW}/packages/container/wolfprovider-test-deps" + else + # User-owned package endpoint requires the authenticated user + # to be the package owner. + ENDPOINT="/user/packages/container/wolfprovider-test-deps" + fi + + echo "Setting visibility=public on ${ENDPOINT}" + gh api -X PATCH "$ENDPOINT" -f visibility=public \ + && echo "OK: package is now public" \ + || echo "WARN: could not flip visibility automatically -- the publish itself succeeded; flip manually via GitHub UI under Packages > Package settings." From 04daf8c62ddbea2fc3d721a0e7b8d9f8d7d68c0f Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:41:58 -0700 Subject: [PATCH 23/26] ci: revert per-owner / auto-public docker plumbing (packages stay private) Earlier commits tried to make fork CI work by: - having publish-test-deps-image.yml push to a per-owner ghcr namespace (ghcr.io//wolfprovider-test-deps) - having consumer workflows pull from the PR head's owner - auto-PATCHing the test-deps package to visibility=public - dropping the `github.repository == 'wolfSSL/wolfProvider'` guard on the wolfprov-debs ORAS pull in build-wolfprovider.yml That path only works if the packages can be public, which they can't (some of the .debs contain commercially-licensed bits). Revert to the canonical-only behavior: publish-test-deps-image.yml - fires only on push to master/main (was '**') - guards the publish on github.repository == 'wolfSSL/wolfProvider' - drops the per-owner namespace; always pushes to ghcr.io/wolfssl/wolfprovider-test-deps - removes the Mark-package-public step build-wolfprovider.yml - restores the github.repository == 'wolfSSL/wolfProvider' guard on the Login, Download .debs, and Download WIC steps 39 consumer workflows - container.image reverted from the per-owner expression back to the literal ghcr.io/wolfssl/wolfprovider-test-deps:bookworm Practical effect: PR CI and nightly only run on the canonical repo (or once PR #400 merges, on wolfSSL/wolfProvider's runners). Fork pushes will skip the wolfprov-deb pull and any container-using job will fail loud at the image pull -- which is the right signal: those runs need to happen on the canonical repo. --- .github/workflows/bind9.yml | 2 +- .github/workflows/build-wolfprovider.yml | 16 ++-- .github/workflows/cjose.yml | 2 +- .github/workflows/curl.yml | 2 +- .github/workflows/debian-package.yml | 2 +- .github/workflows/git-ssh-dr.yml | 2 +- .github/workflows/grpc.yml | 2 +- .github/workflows/hostap.yml | 2 +- .github/workflows/iperf.yml | 2 +- .github/workflows/krb5.yml | 2 +- .github/workflows/libcryptsetup.yml | 2 +- .github/workflows/libeac3.yml | 2 +- .github/workflows/libfido2.yml | 2 +- .github/workflows/libhashkit2.yml | 2 +- .github/workflows/libnice.yml | 2 +- .github/workflows/liboauth2.yml | 2 +- .github/workflows/librelp.yml | 2 +- .github/workflows/libssh2.yml | 2 +- .github/workflows/libtss2.yml | 2 +- .github/workflows/libwebsockets.yml | 2 +- .github/workflows/net-snmp.yml | 2 +- .github/workflows/nginx.yml | 2 +- .github/workflows/openldap.yml | 2 +- .github/workflows/opensc.yml | 2 +- .github/workflows/openssh.yml | 2 +- .github/workflows/openvpn.yml | 2 +- .github/workflows/pam-pkcs11.yml | 2 +- .github/workflows/ppp.yml | 2 +- .github/workflows/publish-test-deps-image.yml | 86 +++---------------- .github/workflows/python3-ntp.yml | 2 +- .github/workflows/qt5network5.yml | 2 +- .github/workflows/rsync.yml | 2 +- .github/workflows/socat.yml | 2 +- .github/workflows/sscep.yml | 2 +- .github/workflows/stunnel.yml | 2 +- .github/workflows/systemd.yml | 2 +- .github/workflows/tcpdump.yml | 2 +- .github/workflows/tnftp.yml | 2 +- .github/workflows/tpm2-tools.yml | 2 +- .github/workflows/x11vnc.yml | 2 +- .github/workflows/xmlsec.yml | 2 +- 41 files changed, 61 insertions(+), 119 deletions(-) diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index f8198b38..fa141948 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/build-wolfprovider.yml b/.github/workflows/build-wolfprovider.yml index e6fc6065..dcef8e06 100644 --- a/.github/workflows/build-wolfprovider.yml +++ b/.github/workflows/build-wolfprovider.yml @@ -109,20 +109,20 @@ jobs: rm -f "oras_${ORAS_VERSION}_linux_amd64.tar.gz" "$GITHUB_WORKSPACE/.bin/oras" version - # The wolfprov debs at ghcr.io/wolfssl/wolfprovider/debs:* are - # public, so login is best-effort: it helps rate-limits when the - # caller has a token, but anonymous pulls still work for forks. - name: Login to ghcr.io - if: steps.check_artifact.outcome != 'success' - continue-on-error: true + if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' run: | echo "${{ secrets.GITHUB_TOKEN }}" | oras login \ - --username ${{ github.actor }} \ + --username ${{ github.repository_owner }} \ --password-stdin ghcr.io # ── Debian build: pull .deb packages from ghcr.io ── + # The wolfprov debs (ghcr.io/wolfssl/wolfprovider/debs:*) are + # private. Only canonical-repo runs have a token authorized to + # pull them; forks would 401 and silently skip the install, so + # short-circuit here to fail loud and explain. - name: Download pre-built packages from ghcr.io - if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian' + if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'debian' run: | mkdir -p ${{ env.WOLFSSL_PACKAGES_PATH }} mkdir -p ${{ env.OPENSSL_PACKAGES_PATH }} @@ -202,7 +202,7 @@ jobs: done - name: Download WIC images from ghcr.io - if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'yocto' + if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'yocto' run: | mkdir -p ${{ env.YOCTO_IMAGES_PATH }} diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 7fb28861..61e1977a 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 585548a4..51749070 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index dbbbf926..f0265b52 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -35,7 +35,7 @@ jobs: needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index 0cc70f56..2305d573 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -32,7 +32,7 @@ jobs: git-ssh-default-replace-test: runs-on: ubuntu-22.04 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive needs: [build_wolfprovider, discover_versions] diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 5f363e00..b8f9357b 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 6a46ce3b..18eed4d0 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm with privileged access for UML container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --privileged --cap-add=ALL -v /dev:/dev env: DEBIAN_FRONTEND: noninteractive diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 53d1dbb0..b900a4ef 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index 0434de0f..c37a7b61 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index 00405567..22504c73 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 1daa5408..a494856e 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index 845667ad..f1f4a606 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index c0d43ba7..7d2218b3 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index ee26aa44..1399c62c 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index cb5cfe57..074cd59e 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index 874fc184..937d5e53 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 8ce2c509..837d043c 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 20 diff --git a/.github/workflows/libtss2.yml b/.github/workflows/libtss2.yml index 9993548f..507608c5 100644 --- a/.github/workflows/libtss2.yml +++ b/.github/workflows/libtss2.yml @@ -17,7 +17,7 @@ jobs: needs: discover_versions runs-on: ubuntu-22.04 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 30 diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index c2700fbf..adb2450c 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 83fb7b4c..a1ad22ca 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 6fb9c2c5..53e868b2 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index edb578ac..102a93cc 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index b11ca2da..898f53cc 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 063fb01b..c1126003 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm # Extra permissions needed for Debian Bookworm options: >- --privileged diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 952f9fb1..8b2522d1 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -35,7 +35,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive strategy: diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index 3340984b..ff574dd3 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 18ad6975..4360859a 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml index abb5c35d..36f7c3b4 100644 --- a/.github/workflows/publish-test-deps-image.yml +++ b/.github/workflows/publish-test-deps-image.yml @@ -1,30 +1,23 @@ name: Publish test-deps image # Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to -# ghcr.io//wolfprovider-test-deps:bookworm. +# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm. # -# Publishes to the namespace of whatever repo this workflow runs in: -# - wolfSSL/wolfProvider master -> ghcr.io/wolfssl/... -# - aidangarske/wolfProvider push -> ghcr.io/aidangarske/... -# -# Consumer workflows pull from the PR head's owner (or the running -# repo's owner on push), so a fork PR can iterate on its own image. -# The owner needs to make the published package public once. +# Fires when the Dockerfile (or this workflow file) changes on master. +# The pushed package stays private -- consumer workflows running on +# wolfSSL/wolfProvider use the canonical GITHUB_TOKEN, which has read +# access to the org's private packages. on: push: - branches: [ '**' ] - paths: - - 'docker/wolfprovider-test-deps/**' - - '.github/workflows/publish-test-deps-image.yml' - pull_request: + branches: [ 'master', 'main' ] paths: - 'docker/wolfprovider-test-deps/**' - '.github/workflows/publish-test-deps-image.yml' workflow_dispatch: {} concurrency: - group: publish-test-deps-image-${{ github.ref }} + group: publish-test-deps-image cancel-in-progress: false permissions: @@ -33,29 +26,20 @@ permissions: jobs: publish: + # Only the canonical repo's runner has a token authorized to push + # to ghcr.io/wolfssl/*. Forks won't have that scope, so skip. + if: github.repository == 'wolfSSL/wolfProvider' runs-on: ubuntu-22.04 timeout-minutes: 45 - env: - # Lowercase the owner — ghcr.io path components must be lowercase - # even though the GitHub org casing is "wolfSSL". - IMAGE_OWNER: ${{ github.repository_owner }} steps: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Compute lowercase image owner - id: owner - run: | - echo "lc=$(echo "${IMAGE_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to ghcr.io - # PR runs from forks have a read-only GITHUB_TOKEN; skip login - # (and skip push below) in that case. - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: docker/login-action@v3 with: registry: ghcr.io @@ -63,55 +47,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push image - id: build uses: docker/build-push-action@v6 with: context: docker/wolfprovider-test-deps file: docker/wolfprovider-test-deps/Dockerfile - # Push from push/dispatch always; skip on fork PRs (no perms). - push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} + push: true tags: | - ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm - ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }} - cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }} + cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm cache-to: type=inline - - # Default ghcr visibility for a newly-created package is `private`. - # Force it to `public` so consumer workflows can pull anonymously - # (fork PRs running in upstream context don't have org-scope tokens - # against the fork's ghcr namespace). Idempotent on subsequent - # pushes -- the package stays public until manually toggled. - # - # NB: the REST PATCH below uses the GITHUB_TOKEN. Org-scope packages - # (ghcr.io/wolfssl/...) require the workflow's `permissions:` block - # to grant `packages: write`, which is already set at the top of - # this file. continue-on-error so a token-scope edge case doesn't - # fail the publish itself -- the push already happened. - - name: Mark package public - if: steps.build.conclusion == 'success' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) - continue-on-error: true - env: - GH_TOKEN: ${{ secrets.GH_PACKAGES_ADMIN_TOKEN || secrets.GITHUB_TOKEN }} - OWNER: ${{ steps.owner.outputs.lc }} - # The owner GitHub returns may have org-vs-user account type. - # We detect at run time and call the right endpoint. - REPO_OWNER_RAW: ${{ github.repository_owner }} - run: | - set -euo pipefail - # Figure out whether OWNER is an org or a user. /users/ works - # for both, but /orgs//packages/... is the right path for orgs. - OWNER_TYPE=$(gh api "/users/${REPO_OWNER_RAW}" --jq '.type') - echo "Owner '${REPO_OWNER_RAW}' type: ${OWNER_TYPE}" - - if [ "$OWNER_TYPE" = "Organization" ]; then - ENDPOINT="/orgs/${REPO_OWNER_RAW}/packages/container/wolfprovider-test-deps" - else - # User-owned package endpoint requires the authenticated user - # to be the package owner. - ENDPOINT="/user/packages/container/wolfprovider-test-deps" - fi - - echo "Setting visibility=public on ${ENDPOINT}" - gh api -X PATCH "$ENDPOINT" -f visibility=public \ - && echo "OK: package is now public" \ - || echo "WARN: could not flip visibility automatically -- the publish itself succeeded; flip manually via GitHub UI under Packages > Package settings." diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index 11aeb9da..865a3e96 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -35,7 +35,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 7637a030..6dc1a6d5 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 40 diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 87095a04..ba22160e 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] timeout-minutes: 15 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index f625aca3..062eecd7 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] continue-on-error: true container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index c19f09ea..1640afd3 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] timeout-minutes: 10 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm options: --user root env: DEBIAN_FRONTEND: noninteractive diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 7471f735..b50d520d 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index e49eeab3..e6c622d2 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -35,7 +35,7 @@ jobs: # This should be a safe limit for the tests to run. timeout-minutes: 20 container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 15ff509c..a116f976 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -34,7 +34,7 @@ jobs: needs: [build_wolfprovider, discover_versions] continue-on-error: true container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 15 diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 656b104a..7cb3a77a 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index 029c8f0c..8503c0ee 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index 4f5b350d..8a36242f 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-22.04 needs: [build_wolfprovider, discover_versions] container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive timeout-minutes: 10 diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index ce50ef64..a26ff21d 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -33,7 +33,7 @@ jobs: needs: [build_wolfprovider, discover_versions] # Run inside Debian Bookworm to match packaging environment container: - image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm + image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm env: DEBIAN_FRONTEND: noninteractive # This should be a safe limit for the tests to run. From fbd9ec7684a2c836387af4717deeaaa9efa66b53 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 14:43:00 -0700 Subject: [PATCH 24/26] ci: fire nightly-osp.yml on PR too (temporary, for PR #400 validation) Add pull_request trigger to nightly-osp.yml so PR #400's reviewers can see the dispatcher actually fan all 41 reusable workflows out and the notify job hit Slack. Marked temporary in the file header -- revert this trigger before merging if you don't want the full nightly job set firing on every PR. (For everyday CI, scheduled + workflow_dispatch is the intended shape.) Note: PR runs from forks will still hit the private-package issue for the wolfprov-debs pull (the wolfSSL/wolfProvider repo guard short-circuits the ORAS step on non-canonical repos). The plumbing itself -- dispatch, discover-versions, notify, Slack -- runs regardless and is what this PR-trigger lets you verify end-to-end. --- .github/workflows/nightly-osp.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-osp.yml b/.github/workflows/nightly-osp.yml index 3c99bf0d..38d69c74 100644 --- a/.github/workflows/nightly-osp.yml +++ b/.github/workflows/nightly-osp.yml @@ -6,14 +6,34 @@ name: Nightly OSP Suite # (workflow_call) workflow; this file just fans them out in parallel # and reports an aggregate status to Slack. # -# PR CI does NOT run these -- it stays cheap (smoke + simple + a few -# internal checks). Nightly is where the full matrix lives. +# Triggers: +# - schedule: daily at 06:00 UTC +# - workflow_dispatch: manual fire from the Actions UI +# - pull_request: TEMPORARY -- so PR #400's reviewers can see +# the dispatcher actually fan everything out +# and the notify job hit Slack. Revert this +# trigger before merging if you don't want +# nightly's full job set firing on every PR. on: schedule: # 06:00 UTC daily. Pick a time when shared-runner contention is low # so the matrix doesn't fight PR CI. - cron: '0 6 * * *' + pull_request: + branches: [ '*' ] + types: [opened, synchronize, reopened, ready_for_review] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE*' + - '.github/ISSUE_TEMPLATE/**' + - '.github/dependabot.yml' + - '.gitignore' + - 'AUTHORS' + - 'COPYING' + - 'README*' + - 'CHANGELOG*' workflow_dispatch: inputs: reason: From cfda41f198f473e771abd8acd0ac409eecb4be47 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 15:00:25 -0700 Subject: [PATCH 25/26] ci: publish-test-deps-image.yml -- also fire on aidangarske/wolfProvider Adds aidangarske/wolfProvider to the publish workflow's repository allowlist so PR #400's working branch can bootstrap a test-deps image on the fork's ghcr namespace. Pushed image lands at ghcr.io/aidangarske/wolfprovider-test-deps:bookworm. Also adds 'ci-draft-pause' to the branches list (alongside master/ main) so a push to that branch triggers the workflow without needing a separate workflow_dispatch. Consumer workflows continue to pull from ghcr.io/wolfssl/... so this fork-side push is purely for the fork owner to verify the build/push pipeline works end to end before PR merges. After merge, the canonical wolfSSL/wolfProvider master push will publish the authoritative image and consumers will find it. Note: the 'ci-draft-pause' branch entry is TEMPORARY for PR #400. Drop it (and remove aidangarske from the allowlist if desired) once the PR merges. --- .github/workflows/publish-test-deps-image.yml | 49 ++++++++++++++----- 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml index 36f7c3b4..ae8306e3 100644 --- a/.github/workflows/publish-test-deps-image.yml +++ b/.github/workflows/publish-test-deps-image.yml @@ -1,23 +1,36 @@ name: Publish test-deps image # Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to -# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm. +# ghcr.io//wolfprovider-test-deps:bookworm. # -# Fires when the Dockerfile (or this workflow file) changes on master. -# The pushed package stays private -- consumer workflows running on -# wolfSSL/wolfProvider use the canonical GITHUB_TOKEN, which has read -# access to the org's private packages. +# Fires on: +# - push to master/main on wolfSSL/wolfProvider (canonical publish) +# - push to any branch on aidangarske/wolfProvider (fork-side +# bootstrap, so PR #400 has an image to point at while iterating) +# - workflow_dispatch (manual fire from either repo) +# +# Pushes to whichever ghcr namespace the runner is in: +# - wolfSSL/wolfProvider -> ghcr.io/wolfssl/wolfprovider-test-deps +# - aidangarske/wolfProvider -> ghcr.io/aidangarske/wolfprovider-test-deps +# +# The consumer workflows (bind9, curl, etc.) hardcode the canonical +# wolfssl namespace, so the fork-side publish is purely for the fork +# owner to validate the build/push pipeline -- not for the PR's +# consumer workflows to use. on: push: - branches: [ 'master', 'main' ] + branches: + - master + - main + - 'ci-draft-pause' # TEMPORARY: PR #400's working branch paths: - 'docker/wolfprovider-test-deps/**' - '.github/workflows/publish-test-deps-image.yml' workflow_dispatch: {} concurrency: - group: publish-test-deps-image + group: publish-test-deps-image-${{ github.repository }}-${{ github.ref }} cancel-in-progress: false permissions: @@ -26,16 +39,26 @@ permissions: jobs: publish: - # Only the canonical repo's runner has a token authorized to push - # to ghcr.io/wolfssl/*. Forks won't have that scope, so skip. - if: github.repository == 'wolfSSL/wolfProvider' + # Only allow the two known-good repos. Refuse to push from any + # other fork to avoid burning runner-minutes building an image + # that nothing will pull. + if: github.repository == 'wolfSSL/wolfProvider' || github.repository == 'aidangarske/wolfProvider' runs-on: ubuntu-22.04 timeout-minutes: 45 + env: + IMAGE_OWNER: ${{ github.repository_owner }} steps: - uses: actions/checkout@v4 with: fetch-depth: 1 + - name: Compute lowercase image owner + id: owner + run: | + # ghcr.io path components must be lowercase even though the + # GitHub org casing is "wolfSSL". + echo "lc=$(echo "${IMAGE_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -53,7 +76,7 @@ jobs: file: docker/wolfprovider-test-deps/Dockerfile push: true tags: | - ghcr.io/wolfssl/wolfprovider-test-deps:bookworm - ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }} - cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm + ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }} + cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm cache-to: type=inline From 87f19ffd1f2e26889ecfc149d1cff8ed24974803 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 25 May 2026 15:15:47 -0700 Subject: [PATCH 26/26] ci: publish-test-deps-image.yml -- align with bootstrap PR #402 Drop the fork-allowance/ci-draft-pause-branch additions so this file matches the version going in via PR #402. After #402 merges to master, this PR's branch will have the identical content -- no merge conflict, no duplicate-but-different file diff to resolve. Reverts the temporary changes from previous commits: - branches: ['master','main','ci-draft-pause'] -> ['master','main'] - aidangarske/wolfProvider repo allowance dropped - per-owner ghcr namespace logic dropped (canonical wolfssl/ only) - concurrency group simplified (no ${{ github.repository }} suffix) If you still want fork-side iteration after #402 merges, do it on the bootstrap branch with workflow_dispatch on the canonical repo; the canonical publish flow is what consumers actually pull from. --- .github/workflows/publish-test-deps-image.yml | 49 +++++-------------- 1 file changed, 13 insertions(+), 36 deletions(-) diff --git a/.github/workflows/publish-test-deps-image.yml b/.github/workflows/publish-test-deps-image.yml index ae8306e3..36f7c3b4 100644 --- a/.github/workflows/publish-test-deps-image.yml +++ b/.github/workflows/publish-test-deps-image.yml @@ -1,36 +1,23 @@ name: Publish test-deps image # Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to -# ghcr.io//wolfprovider-test-deps:bookworm. +# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm. # -# Fires on: -# - push to master/main on wolfSSL/wolfProvider (canonical publish) -# - push to any branch on aidangarske/wolfProvider (fork-side -# bootstrap, so PR #400 has an image to point at while iterating) -# - workflow_dispatch (manual fire from either repo) -# -# Pushes to whichever ghcr namespace the runner is in: -# - wolfSSL/wolfProvider -> ghcr.io/wolfssl/wolfprovider-test-deps -# - aidangarske/wolfProvider -> ghcr.io/aidangarske/wolfprovider-test-deps -# -# The consumer workflows (bind9, curl, etc.) hardcode the canonical -# wolfssl namespace, so the fork-side publish is purely for the fork -# owner to validate the build/push pipeline -- not for the PR's -# consumer workflows to use. +# Fires when the Dockerfile (or this workflow file) changes on master. +# The pushed package stays private -- consumer workflows running on +# wolfSSL/wolfProvider use the canonical GITHUB_TOKEN, which has read +# access to the org's private packages. on: push: - branches: - - master - - main - - 'ci-draft-pause' # TEMPORARY: PR #400's working branch + branches: [ 'master', 'main' ] paths: - 'docker/wolfprovider-test-deps/**' - '.github/workflows/publish-test-deps-image.yml' workflow_dispatch: {} concurrency: - group: publish-test-deps-image-${{ github.repository }}-${{ github.ref }} + group: publish-test-deps-image cancel-in-progress: false permissions: @@ -39,26 +26,16 @@ permissions: jobs: publish: - # Only allow the two known-good repos. Refuse to push from any - # other fork to avoid burning runner-minutes building an image - # that nothing will pull. - if: github.repository == 'wolfSSL/wolfProvider' || github.repository == 'aidangarske/wolfProvider' + # Only the canonical repo's runner has a token authorized to push + # to ghcr.io/wolfssl/*. Forks won't have that scope, so skip. + if: github.repository == 'wolfSSL/wolfProvider' runs-on: ubuntu-22.04 timeout-minutes: 45 - env: - IMAGE_OWNER: ${{ github.repository_owner }} steps: - uses: actions/checkout@v4 with: fetch-depth: 1 - - name: Compute lowercase image owner - id: owner - run: | - # ghcr.io path components must be lowercase even though the - # GitHub org casing is "wolfSSL". - echo "lc=$(echo "${IMAGE_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -76,7 +53,7 @@ jobs: file: docker/wolfprovider-test-deps/Dockerfile push: true tags: | - ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm - ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }} - cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm + ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }} + cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm cache-to: type=inline