From 7f8089603325af570d4493c8bde3d5eeba16227c Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 20 May 2026 21:06:25 -0700 Subject: [PATCH 1/2] CI optimizations - Skip CI for draft PRs and redundant master-push re-runs; membrowse nightly. - Add smoke test (8 configs, CFLAGS=-Werror, post-merge tree, fail-fast on conflicts). - Add wait-for-smoke composite action for downstream CI gating. - Add check-source-text + bash -n + shellcheck workflow (script in make dist). - Cache apt-get update in install-apt-deps composite on cache hit. --- .github/actions/install-apt-deps/action.yml | 14 + .github/actions/wait-for-smoke/action.yml | 95 ++++++ .github/scripts/check-source-text.sh | 309 ++++++++++++++++++ .github/workflows/ada.yml | 5 +- .github/workflows/arduino.yml | 5 +- .github/workflows/async-examples.yml | 5 +- .github/workflows/async.yml | 5 +- .github/workflows/atecc608-sim.yml | 5 +- .github/workflows/bind.yml | 7 +- .github/workflows/check-source-text.yml | 107 ++++++ .github/workflows/cmake-autoconf.yml | 5 +- .github/workflows/cmake.yml | 5 +- .github/workflows/codespell.yml | 3 +- .github/workflows/cryptocb-only.yml | 5 +- .github/workflows/curl.yml | 7 +- .github/workflows/cyrus-sasl.yml | 7 +- .github/workflows/disable-pk-algs.yml | 5 +- .github/workflows/docker-Espressif.yml | 9 +- .github/workflows/docker-OpenWrt.yml | 7 +- .github/workflows/emnet-nonblock.yml | 5 +- .github/workflows/fil-c.yml | 5 +- .github/workflows/freertos-mem-track.yml | 5 +- .github/workflows/gencertbuf.yml | 5 +- .github/workflows/grpc.yml | 7 +- .github/workflows/haproxy.yml | 7 +- .github/workflows/hostap-vm.yml | 11 +- .github/workflows/intelasm-c-fallback.yml | 5 +- .github/workflows/ipmitool.yml | 7 +- .github/workflows/jwt-cpp.yml | 7 +- .github/workflows/krb5.yml | 7 +- .github/workflows/libspdm.yml | 7 +- .github/workflows/libssh2.yml | 7 +- .github/workflows/libvncserver.yml | 7 +- .github/workflows/linuxkm.yml | 5 +- .../macos-apple-native-cert-validation.yml | 5 +- .github/workflows/mbedtls.yml | 7 +- .github/workflows/membrowse-comment.yml | 32 -- .github/workflows/membrowse-report.yml | 16 +- .github/workflows/memcached.yml | 7 +- .github/workflows/mono.yml | 5 +- .github/workflows/mosquitto.yml | 7 +- .github/workflows/msmtp.yml | 7 +- .github/workflows/msys2.yml | 5 +- .github/workflows/multi-arch.yml | 5 +- .github/workflows/multi-compiler.yml | 5 +- .github/workflows/net-snmp.yml | 7 +- .github/workflows/nginx.yml | 7 +- .github/workflows/no-malloc.yml | 5 +- .github/workflows/no-tls.yml | 5 +- .github/workflows/nss.yml | 7 +- .github/workflows/ntp.yml | 7 +- .github/workflows/ocsp.yml | 5 +- .github/workflows/openldap.yml | 7 +- .github/workflows/openssh.yml | 7 +- .github/workflows/openssl-ech.yml | 9 +- .github/workflows/opensslcoexist.yml | 5 +- .github/workflows/openvpn.yml | 7 +- .github/workflows/os-check.yml | 15 +- .github/workflows/packaging.yml | 5 +- .github/workflows/pam-ipmi.yml | 7 +- .github/workflows/pq-all.yml | 5 +- .github/workflows/pr-commit-check.yml | 3 +- .github/workflows/psk.yml | 5 +- .github/workflows/puf.yml | 5 +- .github/workflows/python.yml | 7 +- .github/workflows/rng-tools.yml | 7 +- .github/workflows/rust-wrapper.yml | 5 +- .github/workflows/se050-sim.yml | 5 +- .github/workflows/smallStackSize.yml | 5 +- .github/workflows/smoke-test.yml | 120 +++++++ .github/workflows/socat.yml | 7 +- .github/workflows/softhsm.yml | 7 +- .github/workflows/sssd.yml | 7 +- .github/workflows/stm32-sim.yml | 5 +- .github/workflows/stsafe-a120-sim.yml | 5 +- .github/workflows/stunnel.yml | 7 +- .github/workflows/symbol-prefixes.yml | 5 +- .github/workflows/threadx.yml | 4 +- .github/workflows/trackmemory.yml | 5 +- .github/workflows/tropic01-sim.yml | 5 +- .github/workflows/watcomc.yml | 5 +- .github/workflows/win-csharp-test.yml | 5 +- .github/workflows/wolfCrypt-Wconversion.yml | 5 +- .github/workflows/wolfboot-integration.yml | 13 +- .github/workflows/wolfsm.yml | 5 +- .github/workflows/xcode.yml | 5 +- .github/workflows/zephyr-4.x.yml | 5 +- .github/workflows/zephyr.yml | 5 +- Makefile.am | 1 + 89 files changed, 942 insertions(+), 244 deletions(-) create mode 100644 .github/actions/wait-for-smoke/action.yml create mode 100755 .github/scripts/check-source-text.sh create mode 100644 .github/workflows/check-source-text.yml delete mode 100644 .github/workflows/membrowse-comment.yml create mode 100644 .github/workflows/smoke-test.yml diff --git a/.github/actions/install-apt-deps/action.yml b/.github/actions/install-apt-deps/action.yml index ef6da738e94..0a671667fdc 100644 --- a/.github/actions/install-apt-deps/action.yml +++ b/.github/actions/install-apt-deps/action.yml @@ -54,6 +54,8 @@ runs: - name: Install packages shell: bash + env: + APT_CACHE_HIT: ${{ steps.apt-cache.outputs.cache-hit }} run: | export DEBIAN_FRONTEND=noninteractive RETRIES=${{ inputs.retries }} @@ -62,6 +64,18 @@ runs: if [ "${{ inputs.no-install-recommends }}" = "true" ]; then NO_REC="--no-install-recommends" fi + + # Fast path: on cache hit the .debs are already pre-seeded into + # /var/cache/apt/archives. Try installing directly first; if that + # fails (e.g. the cached .debs were superseded in the index) fall + # through to the regular update + install path. + if [ "$APT_CACHE_HIT" = "true" ]; then + if sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then + exit 0 + fi + echo "::warning::install from cached .debs failed, falling back to apt-get update" + fi + for i in $(seq 1 $RETRIES); do if sudo apt-get update -q && \ sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then diff --git a/.github/actions/wait-for-smoke/action.yml b/.github/actions/wait-for-smoke/action.yml new file mode 100644 index 00000000000..13c15b7604c --- /dev/null +++ b/.github/actions/wait-for-smoke/action.yml @@ -0,0 +1,95 @@ +name: 'Wait for Smoke Test' +description: 'Polls the Smoke Test workflow for the current commit and fails if it failed.' + +# Designed to be the leading job in pull_request-triggered workflows so that +# expensive integration CI does not run unless the smoke build passes. +# +# Push events bypass the wait entirely (we still get smoke results for those +# pushes, but other CI is not gated on push). For drafts, callers should +# skip dependent jobs via `if: github.event.pull_request.draft == false` - +# this action will still pass through if smoke is skipped or absent. + +inputs: + workflow: + description: 'Name of the smoke workflow file to wait on' + required: false + default: 'smoke-test.yml' + timeout-seconds: + description: 'Maximum time to wait for smoke to complete' + required: false + default: '1800' + poll-seconds: + description: 'Polling interval' + required: false + default: '20' + github-token: + description: 'GITHUB_TOKEN with actions:read permission' + required: true + +runs: + using: 'composite' + steps: + - name: Wait for smoke + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + SMOKE_WORKFLOW: ${{ inputs.workflow }} + TIMEOUT: ${{ inputs.timeout-seconds }} + POLL: ${{ inputs.poll-seconds }} + REPO: ${{ github.repository }} + run: | + set -u + # Only gate pull_request events. Push events are not gated. + if [ "${{ github.event_name }}" != "pull_request" ]; then + echo "Not a pull_request event - skipping smoke gate." + exit 0 + fi + + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + echo "Waiting for $SMOKE_WORKFLOW on $HEAD_SHA (timeout ${TIMEOUT}s)" + + START=$(date +%s) + while :; do + NOW=$(date +%s) + ELAPSED=$((NOW - START)) + if [ "$ELAPSED" -ge "$TIMEOUT" ]; then + echo "::error::Timed out after ${TIMEOUT}s waiting for $SMOKE_WORKFLOW on $HEAD_SHA" + exit 1 + fi + + # Look up the latest run for this workflow + head SHA. + RUN_JSON=$(gh api \ + "repos/${REPO}/actions/workflows/${SMOKE_WORKFLOW}/runs?head_sha=${HEAD_SHA}&per_page=1" \ + 2>/dev/null || echo '{}') + + STATUS=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].status // "missing"') + CONCLUSION=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].conclusion // ""') + RUN_URL=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].html_url // ""') + + case "$STATUS" in + completed) + case "$CONCLUSION" in + success) + echo "Smoke test passed: $RUN_URL" + exit 0 + ;; + skipped|neutral) + echo "Smoke test was $CONCLUSION - treating as pass: $RUN_URL" + exit 0 + ;; + *) + echo "::error::Smoke test concluded as '$CONCLUSION': $RUN_URL" + exit 1 + ;; + esac + ;; + missing) + echo "[$ELAPSED s] No smoke run yet for $HEAD_SHA" + ;; + *) + echo "[$ELAPSED s] Smoke status=$STATUS ($RUN_URL)" + ;; + esac + + sleep "$POLL" + done diff --git a/.github/scripts/check-source-text.sh b/.github/scripts/check-source-text.sh new file mode 100755 index 00000000000..7ca3e9cb9c9 --- /dev/null +++ b/.github/scripts/check-source-text.sh @@ -0,0 +1,309 @@ +#!/usr/bin/env bash +# +# check-source-text.sh +# +# Source-hygiene checker for wolfSSL. +# Public subset of the internal wolfssl-multi-test.sh check-source-text scenario. +# +# Subtests (lettered to match the internal multi-test): +# A. trailing whitespace +# B. no ending newline +# C. 8-bit / non-ASCII bytes +# D. weird control chars, hard tabs, CRs (excluding Makefile-like, .S, .asm) +# E. C++ '//' comments in C-like files (excluding // NOLINT and // cppcheck) +# F. flush-left function calls (debug residue) in C-like files +# G. invalid UTF-8 (requires iconv) +# H. macros that take args but have an empty definition +# +# Not ported (require pcre2grep against built artifacts or are +# wolfSSL-internal conventions covered elsewhere): +# I. unescaped error code operands (WC_NO_ERR_TRACE) +# J. unannotated native heap access +# K. unknown macros (requires built config.h + .wolfssl_known_macro_extras) +# L. codespell - run as its own workflow (.github/workflows/codespell.yml) +# +# Usage: +# .github/scripts/check-source-text.sh # scan all tracked files +# .github/scripts/check-source-text.sh # scan a specific list +# +# Exits 0 if clean, 1 if any check fails. +# When run under GitHub Actions, emits ::error file=...,line=... annotations. + +set -u +shopt -s extglob + +ROOT="$(git rev-parse --show-toplevel)" +cd "$ROOT" || exit 2 + +FAIL=0 +GHA="${GITHUB_ACTIONS:-}" + +emit() { + # emit + local check="$1" file="$2" line="$3" msg="$4" + if [ -n "$GHA" ]; then + printf '::error file=%s,line=%s,title=%s::%s\n' "$file" "$line" "$check" "$msg" + else + printf '%s:%s: [%s] %s\n' "$file" "$line" "$check" "$msg" + fi + FAIL=1 +} + +# ---- File classification ---------------------------------------------------- + +is_excluded() { + case "$1" in + IDE/*|mcapi/*|mplabx/*|mqx/*|RTOS/*|tirtos/*|zephyr/*|bsdkm/*) return 0 ;; + debian/*|rpm/*|Docker/*|build-aux/*|autom4te.cache/*) return 0 ;; + cyassl/*|doc/*) return 0 ;; + aclocal.m4|config.in|Makefile.in) return 0 ;; + certs/*|*.der|*.pem|*.crl|*.p12|*.pfx|*.jks) return 0 ;; + *.gz|*.zip|*.tar|*.bz2|*.xz|*.7z) return 0 ;; + *.png|*.jpg|*.jpeg|*.gif|*.ico|*.pdf) return 0 ;; + *.vcproj|*.vcxproj|*.vcxproj.user|*.sln|*.sdf) return 0 ;; + *.gen.h|*.generated.*) return 0 ;; + ChangeLog.md) return 0 ;; + wolfcrypt/src/fp_*.i|wolfcrypt/src/sp_dsp32.c) return 0 ;; + esac + return 1 +} + +# Mirrors multi-test scrubbable_extensions. +is_scrubbable() { + case "$1" in + *.c|*.h|*.s|*.S|*.i) return 0 ;; + *.cc|*.cpp|*.cxx|*.hpp|*.hxx|*.cu) return 0 ;; + *.asm) return 0 ;; + *.in|*.ac|*.am|*.m4|*.mk) return 0 ;; + *.yml|*.sh|*.css|*.js|*.dox|*.tex|*.html|*.md) return 0 ;; + CMakeLists.txt) return 0 ;; + scripts/*.test) return 0 ;; + esac + return 1 +} + +# Mirrors multi-test c_like_extensions: *.[chi] + *.cu +is_c_like() { + case "$1" in + *.c|*.h|*.i|*.cu) return 0 ;; + esac + return 1 +} + +is_makelike() { + case "$1" in + Makefile|Makefile.*|*.am|*.mk) return 0 ;; + esac + return 1 +} + +# ---- Build file list -------------------------------------------------------- + +if [ "$#" -gt 0 ]; then + INPUT_FILES=("$@") +else + mapfile -t INPUT_FILES < <(git ls-files) +fi + +SCRUB=() +C_LIKE=() +for f in "${INPUT_FILES[@]}"; do + [ -f "$f" ] || continue + is_excluded "$f" && continue + if is_scrubbable "$f"; then SCRUB+=("$f"); fi + if is_c_like "$f"; then C_LIKE+=("$f"); fi +done + +have_scrub() { [ "${#SCRUB[@]}" -gt 0 ]; } +have_c_like() { [ "${#C_LIKE[@]}" -gt 0 ]; } + +# Stream grep output (file:line:rest) and convert to annotated emit() calls. +emit_hits() { + local check="$1" msg="$2" f row line + while IFS= read -r row; do + f="${row%%:*}" + row="${row#*:}" + line="${row%%:*}" + emit "$check" "$f" "$line" "$msg" + done +} + +# ---- Subtests --------------------------------------------------------------- + +# A. trailing whitespace +check_trailing_whitespace() { + have_scrub || return 0 + emit_hits "trailing-whitespace" "trailing whitespace" \ + < <(LC_ALL=C grep -E -n -e $'[ \t]+$' -- "${SCRUB[@]}" 2>/dev/null || true) +} + +# B. no ending newline +check_no_ending_newline() { + have_scrub || return 0 + local f + for f in "${SCRUB[@]}"; do + [ -s "$f" ] || continue + if [ -n "$(tail -c 1 -- "$f")" ]; then + emit "no-ending-newline" "$f" 1 "missing newline at end of file" + fi + done +} + +# Per-subtest exclusions mirror the internal multi-test's path filters. + +excl_8bit() { + case "$1" in + *.md|README*|AUTHORS|*.txt) return 0 ;; + examples/client/client.c) return 0 ;; + examples/server/server.c) return 0 ;; + wolfcrypt/benchmark/benchmark.c) return 0 ;; + wolfssl/test.h) return 0 ;; + esac + return 1 +} + +excl_control_chars() { + is_makelike "$1" && return 0 + case "$1" in + *.S|*.asm) return 0 ;; + wolfcrypt/src/port/arm/*) return 0 ;; + wolfcrypt/src/asm.c|wolfcrypt/src/sp_*.c) return 0 ;; + linuxkm/libwolfssl.mod.c) return 0 ;; + debian/rules.in) return 0 ;; + m4/*) return 0 ;; + */include.am) return 0 ;; + esac + return 1 +} + +excl_cpp_comments() { + case "$1" in + wolfcrypt/src/port/arm/*) return 0 ;; + mcapi/*) return 0 ;; + */user_settings*.h|user_settings*.h) return 0 ;; + resource.h) return 0 ;; + wolfcrypt/src/asm.c|wolfcrypt/src/sp_*.c) return 0 ;; + esac + return 1 +} + +excl_utf8() { + case "$1" in + wolfssl.prime) return 0 ;; + wolfcrypt/src/port/arm/*) return 0 ;; + esac + return 1 +} + +# H is scoped narrowly in multi-test: only wolfssl/, wolfcrypt/src/, src/ +# C-like files, and excludes sp_*.c (allows sp_int.c). +in_empty_macro_scope() { + case "$1" in + wolfssl/*|wolfcrypt/src/*|src/*) ;; + *) return 1 ;; + esac + case "$1" in + wolfcrypt/src/sp_int.c) return 0 ;; + wolfcrypt/src/sp_*.c) return 1 ;; + esac + return 0 +} + +# C. 8-bit / non-ASCII bytes. +check_8bit() { + local files=() f + for f in "${SCRUB[@]}"; do + excl_8bit "$f" && continue + files+=("$f") + done + [ "${#files[@]}" -gt 0 ] || return 0 + emit_hits "non-ascii" "non-ASCII (8-bit) byte" \ + < <(LC_ALL=C grep -E -n -e $'[^\001-\177]' -- "${files[@]}" 2>/dev/null || true) +} + +# D. weird control chars / hard tabs / CRs. +check_control_chars() { + local files=() f + for f in "${SCRUB[@]}"; do + excl_control_chars "$f" && continue + files+=("$f") + done + [ "${#files[@]}" -gt 0 ] || return 0 + # \001-\011: SOH..HT (includes \t); \013-\037: VT..US (includes \r); \177: DEL + # \012 (LF) excluded so newline-terminated lines pass through. + emit_hits "control-char" "weird control char / hard tab / CR" \ + < <(LC_ALL=C grep -E -n -e $'[\001-\011\013-\037\177]' -- "${files[@]}" 2>/dev/null || true) +} + +# E. C++-style // comments in C-like files. +# Allows "// NOLINT" and "// cppcheck" suppressions (no /**/ alternatives). +# Needs GNU grep -P for the negative lookahead. +check_cpp_comments() { + local files=() f + for f in "${C_LIKE[@]}"; do + excl_cpp_comments "$f" && continue + files+=("$f") + done + [ "${#files[@]}" -gt 0 ] || return 0 + emit_hits "cpp-comment" "C++-style // comment" \ + < <(LC_ALL=C grep -P -n \ + -e '(^|[^:"*+a-zA-Z0-9])//(?!([*]| ?NOLINT| ?cppcheck)).*$' \ + -- "${files[@]}" 2>/dev/null || true) +} + +# F. flush-left function calls (typically debugging residue). +check_flush_left_calls() { + have_c_like || return 0 + emit_hits "flush-left-call" "flush-left function call (debug residue?)" \ + < <(LC_ALL=C grep -P -n \ + -e '^(?!(?:wc_)?static_assert[0-9]* *\(|module_init *\(|module_exit *\(|[A-Z][A-Z0-9_]* *\()[a-zA-Z_]+[a-zA-Z0-9_]* *\(.*\);' \ + -- "${C_LIKE[@]}" 2>/dev/null || true) +} + +# G. invalid UTF-8 (requires iconv). +check_utf8() { + if ! command -v iconv >/dev/null 2>&1; then + echo "check-source-text: [skipping invalid-utf8 - iconv not available]" >&2 + return 0 + fi + have_scrub || return 0 + local f + for f in "${SCRUB[@]}"; do + excl_utf8 "$f" && continue + if ! LC_ALL=en_US.UTF-8 iconv -f UTF-8 -o /dev/null -- "$f" 2>/dev/null; then + emit "invalid-utf8" "$f" 1 "file is not valid UTF-8" + fi + done +} + +# H. macros that take args but have an empty definition. +# Scoped to wolfssl/, wolfcrypt/src/, src/ - excludes sp_*.c except sp_int.c. +check_empty_macros() { + local files=() f + for f in "${C_LIKE[@]}"; do + in_empty_macro_scope "$f" || continue + files+=("$f") + done + [ "${#files[@]}" -gt 0 ] || return 0 + emit_hits "empty-macro" "macro takes args but has empty body" \ + < <(LC_ALL=C grep -E -n \ + -e '#define +[A-Za-z0-9_]+\( *[A-Za-z0-9_]+ *(, *[A-Za-z0-9_]+)* *\) *$' \ + -- "${files[@]}" 2>/dev/null || true) +} + +# ---- Run -------------------------------------------------------------------- + +check_trailing_whitespace +check_no_ending_newline +check_8bit +check_control_chars +check_cpp_comments +check_flush_left_calls +check_utf8 +check_empty_macros + +if [ "$FAIL" -ne 0 ]; then + echo "::error::check-source-text found violations" >&2 + exit 1 +fi +echo "check-source-text: clean" diff --git a/.github/workflows/ada.yml b/.github/workflows/ada.yml index 8b9391feab0..42843f779ad 100644 --- a/.github/workflows/ada.yml +++ b/.github/workflows/ada.yml @@ -2,14 +2,15 @@ name: WolfSSL Ada Build Tests on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: diff --git a/.github/workflows/arduino.yml b/.github/workflows/arduino.yml index a90d3791932..7bab71c119d 100644 --- a/.github/workflows/arduino.yml +++ b/.github/workflows/arduino.yml @@ -48,7 +48,7 @@ name: Arduino CI Build (1 of 4) wolfssl # START OF COMMON SECTION on: push: - branches: [ '**', 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] paths: # Specific to this Arduino CI Build (1 of 4) - '.github/workflows/arduino.yml' @@ -57,6 +57,7 @@ on: - 'wolfcrypt/**' - 'wolfssl/**' pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '**' ] paths: - '.github/workflows/arduino.yml' @@ -76,7 +77,7 @@ concurrency: jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # Teensy is allowed to fail: its board index lives at pjrc.com, which is # chronically unreachable from GitHub Actions runner egress IPs (DNS diff --git a/.github/workflows/async-examples.yml b/.github/workflows/async-examples.yml index 135bf36c8e3..76d79f89787 100644 --- a/.github/workflows/async-examples.yml +++ b/.github/workflows/async-examples.yml @@ -2,8 +2,9 @@ name: Async Examples on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -12,7 +13,7 @@ concurrency: jobs: async_examples: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 strategy: diff --git a/.github/workflows/async.yml b/.github/workflows/async.yml index c6956458de2..0ed513a21c0 100644 --- a/.github/workflows/async.yml +++ b/.github/workflows/async.yml @@ -3,8 +3,9 @@ name: Async Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -25,7 +26,7 @@ jobs: '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/atecc608-sim.yml b/.github/workflows/atecc608-sim.yml index f3768a1b6c5..2a1e8603faa 100644 --- a/.github/workflows/atecc608-sim.yml +++ b/.github/workflows/atecc608-sim.yml @@ -3,8 +3,9 @@ name: ATECC608 simulator test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -31,7 +32,7 @@ env: jobs: atecc608_sim: name: wolfCrypt against ATECC608 simulator - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 30 steps: diff --git a/.github/workflows/bind.yml b/.github/workflows/bind.yml index a69b866e031..b1d73fd2f4f 100644 --- a/.github/workflows/bind.yml +++ b/.github/workflows/bind.yml @@ -3,8 +3,9 @@ name: bind9 Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 9.18.0, 9.18.28, 9.18.33, 9.20.11 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/check-source-text.yml b/.github/workflows/check-source-text.yml new file mode 100644 index 00000000000..81d11cc72fb --- /dev/null +++ b/.github/workflows/check-source-text.yml @@ -0,0 +1,107 @@ +name: Check Source Text + +# Source-hygiene + shell-script lint. Runs on drafts too - fast feedback. +# +# Checks: +# * check-source-text.sh: trailing whitespace, hard tabs in C/H, CRLF, +# BOM / non-ASCII. +# * bash -n + shellcheck (warning level) on shell scripts. +# +# Scope: +# * pull_request: only files changed in the PR (catches new violations +# without failing on historical debt). +# * push: scan the full tree (baseline guard on master). + +on: + push: + branches: [ master, main ] + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: [ master, main ] + +concurrency: + group: check-source-text-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + check: + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install shellcheck + uses: ./.github/actions/install-apt-deps + with: + packages: shellcheck + + - name: Collect files to check + id: files + run: | + if [ "${{ github.event_name }}" = "pull_request" ]; then + BASE_SHA="${{ github.event.pull_request.base.sha }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + git diff --name-only --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA" \ + > changed.txt || true + grep -E '\.sh$' changed.txt > changed-sh.txt || true + echo "Files changed in PR:" + cat changed.txt + echo "Shell scripts changed:" + cat changed-sh.txt + echo "count=$(wc -l < changed.txt)" >> "$GITHUB_OUTPUT" + echo "sh_count=$(wc -l < changed-sh.txt)" >> "$GITHUB_OUTPUT" + else + : > changed.txt + git ls-files '*.sh' > changed-sh.txt + echo "count=0" >> "$GITHUB_OUTPUT" + echo "sh_count=$(wc -l < changed-sh.txt)" >> "$GITHUB_OUTPUT" + fi + + - name: Run check-source-text (PR changed files) + if: github.event_name == 'pull_request' && steps.files.outputs.count != '0' + run: | + # shellcheck disable=SC2046 + ./.github/scripts/check-source-text.sh $(cat changed.txt) + + - name: Run check-source-text (full tree) + if: github.event_name != 'pull_request' + run: ./.github/scripts/check-source-text.sh + + - name: bash -n (syntax check) + if: steps.files.outputs.sh_count != '0' + run: | + fail=0 + while IFS= read -r f; do + [ -f "$f" ] || continue + if ! bash -n "$f"; then + echo "::error file=$f::bash -n syntax error" + fail=1 + fi + done < changed-sh.txt + exit "$fail" + + - name: shellcheck (warning level) + if: steps.files.outputs.sh_count != '0' + run: | + # Mirrors the internal multi-test check-shell-scripts subtest: + # --severity=warning + # -e SC2226,SC2166,SC2164,SC2046,SC2034,SC2188,SC2043 + # SC2226 (no ln destination), SC2166 ([ p -a q ]), SC2164 (cd ||), + # SC2046 (word splitting), SC2034 (unused var), SC2188 (redirect + # w/o command), SC2043 (loop runs once) - common in this codebase, + # suppressed in the internal multi-test for the same reason. + fail=0 + while IFS= read -r f; do + [ -f "$f" ] || continue + if ! shellcheck --severity=warning \ + --exclude=SC2226,SC2166,SC2164,SC2046,SC2034,SC2188,SC2043 \ + --format=gcc "$f"; then + fail=1 + fi + done < changed-sh.txt + exit "$fail" diff --git a/.github/workflows/cmake-autoconf.yml b/.github/workflows/cmake-autoconf.yml index 0aff795e1ad..a0f9cd11ec3 100644 --- a/.github/workflows/cmake-autoconf.yml +++ b/.github/workflows/cmake-autoconf.yml @@ -2,13 +2,14 @@ name: WolfSSL CMake Autoconf Interworking Test on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index f2f5475fcb3..4d292950822 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -2,13 +2,14 @@ name: WolfSSL CMake Build Tests on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index f6dfdd8acbf..657fa8de9ac 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -4,6 +4,7 @@ on: push: branches: [ 'master', 'main', 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -13,7 +14,7 @@ concurrency: jobs: codespell: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/cryptocb-only.yml b/.github/workflows/cryptocb-only.yml index 101c74dffcc..8e8c4914b65 100644 --- a/.github/workflows/cryptocb-only.yml +++ b/.github/workflows/cryptocb-only.yml @@ -3,8 +3,9 @@ name: cryptocb-only Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -54,7 +55,7 @@ jobs: -DWOLF_CRYPTO_CB_ONLY_ECC -DWOLF_CRYPTO_CB_ONLY_RSA -DWOLF_CRYPTO_CB_ONLY_SHA256 -DWOLF_CRYPTO_CB_ONLY_AES name: make check (${{ matrix.name }}) - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 env: diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 85df8b79845..0f389cf5a33 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -3,8 +3,9 @@ name: curl Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -39,7 +40,7 @@ jobs: test_curl: name: ${{ matrix.curl_ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 15 diff --git a/.github/workflows/cyrus-sasl.yml b/.github/workflows/cyrus-sasl.yml index 0f009d2d540..76662d2efc5 100644 --- a/.github/workflows/cyrus-sasl.yml +++ b/.github/workflows/cyrus-sasl.yml @@ -3,8 +3,9 @@ name: cyrus-sasl Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -47,7 +48,7 @@ jobs: # List of releases to test ref: [ 2.1.28 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/disable-pk-algs.yml b/.github/workflows/disable-pk-algs.yml index 30573ee942c..02e5563aceb 100644 --- a/.github/workflows/disable-pk-algs.yml +++ b/.github/workflows/disable-pk-algs.yml @@ -3,8 +3,9 @@ name: disable-pk-algs Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -35,7 +36,7 @@ jobs: '--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ed448', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/docker-Espressif.yml b/.github/workflows/docker-Espressif.yml index 4e79636f38c..b2a0bda2488 100644 --- a/.github/workflows/docker-Espressif.yml +++ b/.github/workflows/docker-Espressif.yml @@ -2,8 +2,9 @@ name: Espressif examples tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: espressif_latest: name: latest Docker container - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 12 @@ -28,7 +29,7 @@ jobs: run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh espressif_v4_4: name: v4.4 Docker container - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 container: image: espressif/idf:release-v4.4 @@ -38,7 +39,7 @@ jobs: run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh espressif_v5_0: name: v5.0 Docker container - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 container: image: espressif/idf:release-v5.0 diff --git a/.github/workflows/docker-OpenWrt.yml b/.github/workflows/docker-OpenWrt.yml index 1d8db9c2c96..82cd0cfd7a9 100644 --- a/.github/workflows/docker-OpenWrt.yml +++ b/.github/workflows/docker-OpenWrt.yml @@ -5,8 +5,9 @@ name: OpenWrt test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -17,7 +18,7 @@ concurrency: jobs: build_library: name: Compile libwolfssl.so - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -41,7 +42,7 @@ jobs: retention-days: 5 compile_container: name: Compile container - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 2 diff --git a/.github/workflows/emnet-nonblock.yml b/.github/workflows/emnet-nonblock.yml index 052ac20db85..d847fa31efc 100644 --- a/.github/workflows/emnet-nonblock.yml +++ b/.github/workflows/emnet-nonblock.yml @@ -3,8 +3,9 @@ name: emNET non-blocking handshake test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -22,7 +23,7 @@ concurrency: jobs: emnet_nonblock: name: wolfSSL emNET non-blocking handshake - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 20 steps: diff --git a/.github/workflows/fil-c.yml b/.github/workflows/fil-c.yml index 410ba02727c..2a0ff443718 100644 --- a/.github/workflows/fil-c.yml +++ b/.github/workflows/fil-c.yml @@ -6,8 +6,9 @@ env: # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -27,7 +28,7 @@ jobs: ] # This should be a safe limit for the tests to run. timeout-minutes: 30 - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 name: ${{ matrix.config }} steps: diff --git a/.github/workflows/freertos-mem-track.yml b/.github/workflows/freertos-mem-track.yml index 8870b903c17..545d15084f0 100644 --- a/.github/workflows/freertos-mem-track.yml +++ b/.github/workflows/freertos-mem-track.yml @@ -3,8 +3,9 @@ name: FreeRTOS mem_track.h compile regression # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -24,7 +25,7 @@ concurrency: jobs: freertos_mem_track: name: mem_track.h non-Linux multi-threaded compile - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 5 steps: diff --git a/.github/workflows/gencertbuf.yml b/.github/workflows/gencertbuf.yml index 3550f22e2bf..3f352bdf888 100644 --- a/.github/workflows/gencertbuf.yml +++ b/.github/workflows/gencertbuf.yml @@ -3,8 +3,9 @@ name: Test gencertbuf script # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: gencertbuf: name: gencertbuf - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 8a61874f3c6..679fa6f9d46 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -3,8 +3,9 @@ name: grpc Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -51,7 +52,7 @@ jobs: test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test h2_ssl_cert_test h2_ssl_session_reuse_test name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 30 diff --git a/.github/workflows/haproxy.yml b/.github/workflows/haproxy.yml index 8b9c502270b..7e3b04bfc4e 100644 --- a/.github/workflows/haproxy.yml +++ b/.github/workflows/haproxy.yml @@ -3,8 +3,9 @@ name: haproxy Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -39,7 +40,7 @@ jobs: test_haproxy: name: ${{ matrix.haproxy_ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 15 diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index 58b382e909d..b4238f8827d 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -3,8 +3,9 @@ name: hostap and wpa-supplicant Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -27,7 +28,7 @@ jobs: --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 --enable-tlsv10 --enable-oldtls name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -65,7 +66,7 @@ jobs: checkout_hostap: name: Checkout hostap repo - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -93,7 +94,7 @@ jobs: build_uml_linux: name: Build UML (UserMode Linux) - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -181,7 +182,7 @@ jobs: build_id: hostap-vm-build2 } name: hwsim test - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 45 diff --git a/.github/workflows/intelasm-c-fallback.yml b/.github/workflows/intelasm-c-fallback.yml index adbe9421899..34cac82c13a 100644 --- a/.github/workflows/intelasm-c-fallback.yml +++ b/.github/workflows/intelasm-c-fallback.yml @@ -3,8 +3,9 @@ name: Dynamic C Fallback Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -21,7 +22,7 @@ jobs: '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"' ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/ipmitool.yml b/.github/workflows/ipmitool.yml index c3ae6c26e19..95ba0d0079e 100644 --- a/.github/workflows/ipmitool.yml +++ b/.github/workflows/ipmitool.yml @@ -3,8 +3,9 @@ name: ipmitool Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -47,7 +48,7 @@ jobs: matrix: git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ] name: ${{ matrix.git_ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_wolfssl steps: diff --git a/.github/workflows/jwt-cpp.yml b/.github/workflows/jwt-cpp.yml index 2120b22a178..6080e8c0219 100644 --- a/.github/workflows/jwt-cpp.yml +++ b/.github/workflows/jwt-cpp.yml @@ -3,8 +3,9 @@ name: jwt-cpp Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -41,7 +42,7 @@ jobs: retention-days: 5 build_pam-ipmi: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} strategy: fail-fast: false matrix: diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index a0c6b5d2147..d9d5648ebbe 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -3,8 +3,9 @@ name: Kerberos 5 Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 5 @@ -49,7 +50,7 @@ jobs: # List of releases to test ref: [ 1.21.1 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 8 diff --git a/.github/workflows/libspdm.yml b/.github/workflows/libspdm.yml index e9ca1678aa1..0f0ed847561 100644 --- a/.github/workflows/libspdm.yml +++ b/.github/workflows/libspdm.yml @@ -3,8 +3,9 @@ name: libspdm Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -45,7 +46,7 @@ jobs: # List of releases to test ref: [ 3.7.0 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index f450236f843..130f4885fd3 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -3,8 +3,9 @@ name: libssh2 Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 1.11.1 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 8 diff --git a/.github/workflows/libvncserver.yml b/.github/workflows/libvncserver.yml index b2e7a1895eb..a88be64de26 100644 --- a/.github/workflows/libvncserver.yml +++ b/.github/workflows/libvncserver.yml @@ -3,8 +3,9 @@ name: libvncserver Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -46,7 +47,7 @@ jobs: matrix: ref: [ 0.9.13, 0.9.14 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_wolfssl steps: diff --git a/.github/workflows/linuxkm.yml b/.github/workflows/linuxkm.yml index 347c4b733d1..e785cf56cb5 100644 --- a/.github/workflows/linuxkm.yml +++ b/.github/workflows/linuxkm.yml @@ -3,8 +3,9 @@ name: Kernel Module Build # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -21,7 +22,7 @@ jobs: 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --disable-sp-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -DDEBUG_LINUXKM_PIE_SUPPORT -Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1" --with-max-rsa-bits=16384' ] name: build module - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-latest timeout-minutes: 5 steps: diff --git a/.github/workflows/macos-apple-native-cert-validation.yml b/.github/workflows/macos-apple-native-cert-validation.yml index 045686a14df..c431ee64a5b 100644 --- a/.github/workflows/macos-apple-native-cert-validation.yml +++ b/.github/workflows/macos-apple-native-cert-validation.yml @@ -3,8 +3,9 @@ name: MacOS apple native cert validation tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: make_check: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: macos-latest # This should be a safe limit for the tests to run. timeout-minutes: 5 diff --git a/.github/workflows/mbedtls.yml b/.github/workflows/mbedtls.yml index 3cc7e2c44b1..37525a3a7bb 100644 --- a/.github/workflows/mbedtls.yml +++ b/.github/workflows/mbedtls.yml @@ -3,8 +3,9 @@ name: mbedtls interop Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -18,7 +19,7 @@ env: jobs: build_mbedtls: name: Build mbedtls - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 @@ -55,7 +56,7 @@ jobs: mbedtls_test: name: Test interop with mbedtls - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_mbedtls timeout-minutes: 15 diff --git a/.github/workflows/membrowse-comment.yml b/.github/workflows/membrowse-comment.yml deleted file mode 100644 index 1357bca7d99..00000000000 --- a/.github/workflows/membrowse-comment.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Membrowse Comment - -on: - workflow_run: - workflows: [Membrowse Memory Report] - types: - - completed - -jobs: - post-comment: - runs-on: ubuntu-24.04 - timeout-minutes: 10 - # Run the comment job even if some of the builds fail - if: > - github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion != 'cancelled' - permissions: - contents: read - pull-requests: write - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Post Membrowse PR comment - if: ${{ env.MEMBROWSE_API_KEY != '' }} - uses: membrowse/membrowse-action/comment-action@v1 - with: - api_key: ${{ secrets.MEMBROWSE_API_KEY }} - commit: ${{ github.event.workflow_run.head_sha }} - env: - MEMBROWSE_API_KEY: ${{ secrets.MEMBROWSE_API_KEY }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/membrowse-report.yml b/.github/workflows/membrowse-report.yml index dfc67b5bfe3..40a08851838 100644 --- a/.github/workflows/membrowse-report.yml +++ b/.github/workflows/membrowse-report.yml @@ -1,14 +1,17 @@ name: Membrowse Memory Report +# Runs nightly instead of per-PR - the report is for trend tracking, not +# gating individual PRs, and the build matrix is too heavy to run on every +# push. Use workflow_dispatch to trigger an ad-hoc run. + on: - pull_request: - push: - branches: - - master + schedule: + - cron: '0 4 * * *' # daily at 04:00 UTC + workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.sha || github.ref }} - cancel-in-progress: ${{ github.event_name == 'pull_request' }} + group: ${{ github.workflow }} + cancel-in-progress: false jobs: load-targets: @@ -59,4 +62,3 @@ jobs: api_key: ${{ secrets.MEMBROWSE_API_KEY }} api_url: ${{ vars.MEMBROWSE_API_URL }} verbose: INFO - diff --git a/.github/workflows/memcached.yml b/.github/workflows/memcached.yml index 3e595f90249..d6be91cca56 100644 --- a/.github/workflows/memcached.yml +++ b/.github/workflows/memcached.yml @@ -3,8 +3,9 @@ name: memcached Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: - name: Build wolfSSL @@ -47,7 +48,7 @@ jobs: include: - ref: 1.6.22 name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_wolfssl steps: diff --git a/.github/workflows/mono.yml b/.github/workflows/mono.yml index 57ea269bf26..09d40619457 100644 --- a/.github/workflows/mono.yml +++ b/.github/workflows/mono.yml @@ -3,8 +3,9 @@ name: Linux Mono C# Build Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL C# Wrapper - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 steps: diff --git a/.github/workflows/mosquitto.yml b/.github/workflows/mosquitto.yml index 603149adc8c..bf91b0de745 100644 --- a/.github/workflows/mosquitto.yml +++ b/.github/workflows/mosquitto.yml @@ -3,8 +3,9 @@ name: mosquitto Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -44,7 +45,7 @@ jobs: matrix: ref: [ 2.0.18 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/msmtp.yml b/.github/workflows/msmtp.yml index 9b98c43350e..565582520d3 100644 --- a/.github/workflows/msmtp.yml +++ b/.github/workflows/msmtp.yml @@ -3,8 +3,9 @@ name: msmtp Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -44,7 +45,7 @@ jobs: matrix: ref: [ 1.8.28 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/msys2.yml b/.github/workflows/msys2.yml index 93e555a26d3..b25f751cd23 100644 --- a/.github/workflows/msys2.yml +++ b/.github/workflows/msys2.yml @@ -3,8 +3,9 @@ name: MSYS2 Build Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: msys2: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: windows-latest defaults: run: diff --git a/.github/workflows/multi-arch.yml b/.github/workflows/multi-arch.yml index aac372c464e..f12afd5548c 100644 --- a/.github/workflows/multi-arch.yml +++ b/.github/workflows/multi-arch.yml @@ -3,8 +3,9 @@ name: Multiple architectures # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -51,7 +52,7 @@ jobs: OPT_CFLAGS: '-Os' - name: '-Ofast' OPT_CFLAGS: '-Ofast' - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index b52bd6432c7..422c3c79ef9 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -3,8 +3,9 @@ name: Multiple compilers and versions # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -37,7 +38,7 @@ jobs: - CC: clang-19 CXX: clang++-19 OS: ubuntu-24.04 - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ${{ matrix.OS }} # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 9dab661625e..6923e9e2cbd 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -3,8 +3,9 @@ name: net-snmp Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -47,7 +48,7 @@ jobs: - ref: 5.9.3 test_opts: -e 'agentxperl' name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index d457e111c20..71323cea68b 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -3,8 +3,9 @@ name: nginx Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -19,7 +20,7 @@ env: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -146,7 +147,7 @@ jobs: stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t stream_proxy_ssl_verify.t name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/no-malloc.yml b/.github/workflows/no-malloc.yml index 4268d47da4f..c35419d5192 100644 --- a/.github/workflows/no-malloc.yml +++ b/.github/workflows/no-malloc.yml @@ -3,8 +3,9 @@ name: No Malloc Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -23,7 +24,7 @@ jobs: '--enable-ecc --enable-rsa --enable-keygen --enable-ed25519 --enable-curve25519 --enable-ed448 --enable-curve448 --enable-mlkem --enable-staticmemory CFLAGS="-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/no-tls.yml b/.github/workflows/no-tls.yml index 13cf7c8f05e..cbc48344415 100644 --- a/.github/workflows/no-tls.yml +++ b/.github/workflows/no-tls.yml @@ -3,8 +3,9 @@ name: --disable-tls Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -21,7 +22,7 @@ jobs: '--disable-tls --enable-all CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/nss.yml b/.github/workflows/nss.yml index ebe1acb0c61..32f55328407 100644 --- a/.github/workflows/nss.yml +++ b/.github/workflows/nss.yml @@ -5,8 +5,9 @@ name: nss interop Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -20,7 +21,7 @@ env: jobs: build_nss: name: Build nss - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 30 @@ -63,7 +64,7 @@ jobs: nss_test: name: Test interop with nss - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_nss timeout-minutes: 30 diff --git a/.github/workflows/ntp.yml b/.github/workflows/ntp.yml index d93b19deb0e..c5e1a2065db 100644 --- a/.github/workflows/ntp.yml +++ b/.github/workflows/ntp.yml @@ -3,8 +3,9 @@ name: ntp Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 4.2.8p15, 4.2.8p17, 4.2.8p18 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/ocsp.yml b/.github/workflows/ocsp.yml index 3cd5636d9d9..c545592fa55 100644 --- a/.github/workflows/ocsp.yml +++ b/.github/workflows/ocsp.yml @@ -3,8 +3,9 @@ name: OCSP Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: ocsp_stapling: name: ocsp stapling - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 steps: diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index 48d46daab94..1299a8adee1 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -3,8 +3,9 @@ name: openldap Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -52,7 +53,7 @@ jobs: - osp_ref: 2.6.9 git_ref: OPENLDAP_REL_ENG_2_6_9 name: ${{ matrix.osp_ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 20 diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 75224605614..360971e15d0 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -3,8 +3,9 @@ name: openssh Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -80,7 +81,7 @@ jobs: exit-status rekey multiplex forward-control channel-timeout connection-timeout name: ${{ matrix.osp_ver }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_wolfssl steps: diff --git a/.github/workflows/openssl-ech.yml b/.github/workflows/openssl-ech.yml index 9c9e06375bc..4d3ae03e692 100644 --- a/.github/workflows/openssl-ech.yml +++ b/.github/workflows/openssl-ech.yml @@ -3,8 +3,9 @@ name: OpenSSL ECH Interop Test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 4 steps: @@ -55,7 +56,7 @@ jobs: build_openssl_ech: name: Build OpenSSL (feature/ech) - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 steps: @@ -87,7 +88,7 @@ jobs: ech_interop_test: name: ECH Interop Test - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} needs: [build_wolfssl, build_openssl_ech] runs-on: ubuntu-24.04 timeout-minutes: 10 diff --git a/.github/workflows/opensslcoexist.yml b/.github/workflows/opensslcoexist.yml index e6ff993bdb7..102d7ec07e5 100644 --- a/.github/workflows/opensslcoexist.yml +++ b/.github/workflows/opensslcoexist.yml @@ -3,8 +3,9 @@ name: OPENSSL_COEXIST and TEST_OPENSSL_COEXIST # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -22,7 +23,7 @@ jobs: '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_OPENSSL_COEXIST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"' ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 0b793f19ef2..7e0795b0018 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -3,8 +3,9 @@ name: OpenVPN Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -44,7 +45,7 @@ jobs: matrix: ref: [ release/2.6, v2.6.19 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 318cbcf8c34..9f1cd5e44f8 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -3,8 +3,9 @@ name: Ubuntu-Macos-Windows Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -133,7 +134,7 @@ jobs: 'CPPFLAGS="-DNO_VERIFY_OID -DWOLFSSL_FPKI"', ] name: make check linux - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -184,7 +185,7 @@ jobs: '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey', ] name: make check macos - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: macos-latest # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -217,7 +218,7 @@ jobs: 'examples/configs/user_settings_all.h', ] name: make user_setting.h - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -264,7 +265,7 @@ jobs: # - user_settings_baremetal.h: Requires static memory, custom platform ] name: make user_setting.h (testwolfcrypt only) - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -285,7 +286,7 @@ jobs: # the equivalent code paths on Darwin. make_user_all: name: make user_setting.h (with sed) - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 14 @@ -308,7 +309,7 @@ jobs: windows_build: name: Windows Build Test - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: windows-latest strategy: fail-fast: false diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml index ec55f410f14..f38645f98c2 100644 --- a/.github/workflows/packaging.yml +++ b/.github/workflows/packaging.yml @@ -3,8 +3,9 @@ name: Packaging Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Package wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/pam-ipmi.yml b/.github/workflows/pam-ipmi.yml index da6ac50d1c6..e7632c82f98 100644 --- a/.github/workflows/pam-ipmi.yml +++ b/.github/workflows/pam-ipmi.yml @@ -3,8 +3,9 @@ name: pam-ipmi Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -16,7 +17,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -47,7 +48,7 @@ jobs: matrix: git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ] name: ${{ matrix.git_ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 needs: build_wolfssl steps: diff --git a/.github/workflows/pq-all.yml b/.github/workflows/pq-all.yml index c6d4704e99a..ba0dc74d3c8 100644 --- a/.github/workflows/pq-all.yml +++ b/.github/workflows/pq-all.yml @@ -3,8 +3,9 @@ name: Quantum Resistant Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -41,7 +42,7 @@ jobs: '--disable-intelasm --enable-dilithium=44,65,87,verify-only CPPFLAGS="-DWOLFSSL_DILITHIUM_DYNAMIC_KEYS"', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/pr-commit-check.yml b/.github/workflows/pr-commit-check.yml index a2820a8fcf0..b73b9b26c9d 100644 --- a/.github/workflows/pr-commit-check.yml +++ b/.github/workflows/pr-commit-check.yml @@ -2,6 +2,7 @@ name: PR commit message checks on: pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '**' ] concurrency: @@ -11,7 +12,7 @@ concurrency: jobs: commit-messages: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/psk.yml b/.github/workflows/psk.yml index aac00b5e322..05d6a809710 100644 --- a/.github/workflows/psk.yml +++ b/.github/workflows/psk.yml @@ -3,8 +3,9 @@ name: PSK Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -25,7 +26,7 @@ jobs: '--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all --disable-mlkem' ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/puf.yml b/.github/workflows/puf.yml index 8ad4827a1d2..ee510f95e11 100644 --- a/.github/workflows/puf.yml +++ b/.github/workflows/puf.yml @@ -3,8 +3,9 @@ name: PUF Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: puf_host_test: name: PUF host test - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 6 steps: diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 7b225d91264..e0d021f4f93 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -3,8 +3,9 @@ name: Python Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 steps: @@ -93,7 +94,7 @@ jobs: test_xmlrpc test_docxmlrpc name: Python ${{ matrix.python_ver }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 60 needs: build_wolfssl diff --git a/.github/workflows/rng-tools.yml b/.github/workflows/rng-tools.yml index 0579a312ca7..73375422503 100644 --- a/.github/workflows/rng-tools.yml +++ b/.github/workflows/rng-tools.yml @@ -3,8 +3,9 @@ name: rng-tools Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 6.16, 6.17 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/rust-wrapper.yml b/.github/workflows/rust-wrapper.yml index 4fe191b0852..1b97237616d 100644 --- a/.github/workflows/rust-wrapper.yml +++ b/.github/workflows/rust-wrapper.yml @@ -3,8 +3,9 @@ name: Build Rust Wrapper # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL Rust Wrapper - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ${{ matrix.os }} # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/se050-sim.yml b/.github/workflows/se050-sim.yml index 9ce5a8c8922..bb7ccefbace 100644 --- a/.github/workflows/se050-sim.yml +++ b/.github/workflows/se050-sim.yml @@ -3,8 +3,9 @@ name: SE050 simulator test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -26,7 +27,7 @@ env: jobs: se050_sim: name: wolfCrypt against SE050 simulator - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 30 steps: diff --git a/.github/workflows/smallStackSize.yml b/.github/workflows/smallStackSize.yml index d754751c57d..286bb4527c8 100644 --- a/.github/workflows/smallStackSize.yml +++ b/.github/workflows/smallStackSize.yml @@ -3,8 +3,9 @@ name: Stack Size warnings # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -36,7 +37,7 @@ jobs: '--enable-intelasm --enable-sp-asm --enable-all-crypto --enable-mlkem --enable-lms --enable-xmss --enable-mldsa' ] name: build library - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml new file mode 100644 index 00000000000..5e9c7ac4666 --- /dev/null +++ b/.github/workflows/smoke-test.yml @@ -0,0 +1,120 @@ +name: Smoke Test + +# Fast pre-flight build + make check across common-failure configs derived +# from the Jenkins PRB top-10 (last 30 days). Intentionally runs on drafts +# too: this is the gate that protects the rest of CI. Other PR workflows +# wait for this via .github/actions/wait-for-smoke. +# +# CFLAGS=-Werror is applied at make time only (not ./configure) so autoconf +# feature detection is not poisoned by benign warnings in conftest probes. +# +# For pull_request events the workflow tests the POST-MERGE tree: +# the PR head is checked out, the base branch is merged in, and: +# * a merge conflict fails the job before any build runs. +# * if the PR tree is identical to base (no diff), the matrix is skipped. +# * otherwise the build runs against the merged tree. +# This catches stale PRs whose head builds clean but whose merge with +# current master would break. + +on: + push: + branches: [ master, main ] + paths-ignore: + - '**/*.md' + - 'doc/**' + - 'AUTHORS' + - 'LICENSING' + - 'ChangeLog.md' + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: [ master, main ] + +concurrency: + group: smoke-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + smoke: + runs-on: ubuntu-24.04 + timeout-minutes: 25 + strategy: + fail-fast: false + matrix: + config: + - name: default + args: "" + - name: enable-all + args: "--enable-all" + - name: opensslextra + args: "--enable-opensslextra" + - name: enable-all-smallstack + args: "--enable-all --enable-smallstack" + - name: cryptonly + args: "--enable-cryptonly" + # Below entries target the top Jenkins PRB failure modes + # (-Werror unused-function / implicit-decl / link errors). + - name: leantls-extra + args: "--enable-leantls --enable-session-ticket --enable-sni --enable-opensslextra" + - name: dtls-suite + args: "--enable-psk --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-aesccm --enable-opensslextra" + - name: integration + args: "--enable-openssh --enable-lighty --enable-stunnel --enable-opensslextra" + env: + MAKE_CFLAGS: "-Werror" + steps: + # For PRs we explicitly check out the PR head (not the auto-merge + # ref) and do the merge ourselves below so we can fail fast on + # conflicts. For push events we just check out the pushed SHA. + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha || github.sha }} + + - name: Merge base into PR head (fail fast on conflict) + id: merge_check + if: github.event_name == 'pull_request' + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: | + set -e + git config user.email "ci@wolfssl.invalid" + git config user.name "wolfSSL CI Merge" + git fetch --no-tags origin "$BASE_REF" + BASE_SHA=$(git rev-parse FETCH_HEAD) + if git diff --quiet "$BASE_SHA" HEAD; then + echo "::notice::PR tree is identical to $BASE_REF; skipping smoke matrix." + echo "skip=true" >> "$GITHUB_OUTPUT" + exit 0 + fi + if ! git merge --no-ff --no-commit "$BASE_SHA"; then + echo "::error::Merge conflicts with $BASE_REF - please rebase or merge $BASE_REF into the PR branch before testing." + git merge --abort || true + exit 1 + fi + echo "skip=false" >> "$GITHUB_OUTPUT" + echo "Clean merge with $BASE_REF; testing post-merge tree." + + - name: Install dependencies + if: steps.merge_check.outputs.skip != 'true' + uses: ./.github/actions/install-apt-deps + with: + packages: autoconf automake libtool build-essential + + - name: autogen + if: steps.merge_check.outputs.skip != 'true' + run: ./autogen.sh + + - name: configure ${{ matrix.config.name }} + if: steps.merge_check.outputs.skip != 'true' + run: ./configure ${{ matrix.config.args }} + + - name: make (CFLAGS=-Werror) + if: steps.merge_check.outputs.skip != 'true' + run: make -j$(nproc) CFLAGS="$MAKE_CFLAGS" + + - name: make check (CFLAGS=-Werror) + if: steps.merge_check.outputs.skip != 'true' + run: make check CFLAGS="$MAKE_CFLAGS" diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 57068d04302..3134771e3c6 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -3,8 +3,9 @@ name: socat Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 4 steps: @@ -38,7 +39,7 @@ jobs: socat_check: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 30 diff --git a/.github/workflows/softhsm.yml b/.github/workflows/softhsm.yml index fb1ca9a50c2..a0d449714e2 100644 --- a/.github/workflows/softhsm.yml +++ b/.github/workflows/softhsm.yml @@ -3,8 +3,9 @@ name: SoftHSMv2 Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 2.6.1 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 20 diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 2067ec6f98b..7c894f22436 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -3,8 +3,9 @@ name: sssd Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: build_wolfssl: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} name: Build wolfSSL # Just to keep it the same as the testing target runs-on: ubuntu-24.04 @@ -46,7 +47,7 @@ jobs: # List of releases to test ref: [ 2.9.1, 2.10.2 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 container: image: quay.io/sssd/ci-client-devel:ubuntu-latest diff --git a/.github/workflows/stm32-sim.yml b/.github/workflows/stm32-sim.yml index 8beb42921c4..9a2bcb6a838 100644 --- a/.github/workflows/stm32-sim.yml +++ b/.github/workflows/stm32-sim.yml @@ -3,8 +3,9 @@ name: STM32 simulator test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -24,7 +25,7 @@ concurrency: jobs: stm32_sim: name: wolfCrypt on STM32${{ matrix.chip_label }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 30 strategy: diff --git a/.github/workflows/stsafe-a120-sim.yml b/.github/workflows/stsafe-a120-sim.yml index 8764a56b83c..49d60037bcc 100644 --- a/.github/workflows/stsafe-a120-sim.yml +++ b/.github/workflows/stsafe-a120-sim.yml @@ -3,8 +3,9 @@ name: STSAFE-A120 simulator test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -32,7 +33,7 @@ env: jobs: stsafe_a120_sim: name: wolfCrypt against STSAFE-A120 simulator - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 30 steps: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 7348ec18852..369cc210024 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -3,8 +3,9 @@ name: stunnel Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build_wolfssl: name: Build wolfSSL - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} # Just to keep it the same as the testing target runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. @@ -45,7 +46,7 @@ jobs: # List of releases to test ref: [ 5.67 ] name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 4 diff --git a/.github/workflows/symbol-prefixes.yml b/.github/workflows/symbol-prefixes.yml index 5073f8e938e..4c46865b063 100644 --- a/.github/workflows/symbol-prefixes.yml +++ b/.github/workflows/symbol-prefixes.yml @@ -3,8 +3,9 @@ name: WOLFSSL_API_PREFIX_MAP # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -20,7 +21,7 @@ jobs: '--enable-all --enable-mlkem --enable-mldsa --enable-xmss --enable-lms --enable-acert --with-sys-crypto-policy CFLAGS=-DWOLFSSL_API_PREFIX_MAP' ] name: make and analyze - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/threadx.yml b/.github/workflows/threadx.yml index d1921418068..d939a6557f2 100644 --- a/.github/workflows/threadx.yml +++ b/.github/workflows/threadx.yml @@ -2,12 +2,14 @@ name: ThreadXBuild Test on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] jobs: build: + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.draft == false }} runs-on: ubuntu-24.04 timeout-minutes: 10 diff --git a/.github/workflows/trackmemory.yml b/.github/workflows/trackmemory.yml index 3f79e01645b..f00ea8a4cb1 100644 --- a/.github/workflows/trackmemory.yml +++ b/.github/workflows/trackmemory.yml @@ -3,8 +3,9 @@ name: WOLFSSL_TRACK_MEMORY Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -32,7 +33,7 @@ jobs: '--disable-asm --enable-wolfEntropy --enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY -DNO_WOLFSSL_CIPHER_SUITE_TEST"' ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 6 diff --git a/.github/workflows/tropic01-sim.yml b/.github/workflows/tropic01-sim.yml index d64a0def0b7..871b79fa992 100644 --- a/.github/workflows/tropic01-sim.yml +++ b/.github/workflows/tropic01-sim.yml @@ -3,8 +3,9 @@ name: TROPIC01 simulator test # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -32,7 +33,7 @@ env: jobs: tropic01_sim: name: wolfCrypt against TROPIC01 simulator - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 30 steps: diff --git a/.github/workflows/watcomc.yml b/.github/workflows/watcomc.yml index d936d8fa117..60528dc167f 100644 --- a/.github/workflows/watcomc.yml +++ b/.github/workflows/watcomc.yml @@ -3,8 +3,9 @@ name: Build Watcom C # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: wolfssl_watcomc_windows: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} strategy: fail-fast: false matrix: diff --git a/.github/workflows/win-csharp-test.yml b/.github/workflows/win-csharp-test.yml index c2c10582c1f..88cb6e8c44f 100644 --- a/.github/workflows/win-csharp-test.yml +++ b/.github/workflows/win-csharp-test.yml @@ -2,14 +2,15 @@ name: Windows CSharp Build Test on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: windows-latest # This should be a safe limit for the tests to run. diff --git a/.github/workflows/wolfCrypt-Wconversion.yml b/.github/workflows/wolfCrypt-Wconversion.yml index f76e2a1fcc9..73b0a6adcbf 100644 --- a/.github/workflows/wolfCrypt-Wconversion.yml +++ b/.github/workflows/wolfCrypt-Wconversion.yml @@ -3,8 +3,9 @@ name: wolfCrypt conversion warnings # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -31,7 +32,7 @@ jobs: '--disable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,small --enable-slhdsa --enable-lms --enable-xmss CPPFLAGS="-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"', ] name: build library - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/wolfboot-integration.yml b/.github/workflows/wolfboot-integration.yml index 1a7fe9a0c62..2b5cffdfd80 100644 --- a/.github/workflows/wolfboot-integration.yml +++ b/.github/workflows/wolfboot-integration.yml @@ -2,8 +2,9 @@ name: wolfBoot Integration on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] workflow_dispatch: @@ -19,7 +20,7 @@ env: jobs: keytools: name: keytools - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 20 @@ -120,7 +121,7 @@ jobs: host_smoke: name: host-smoke - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 15 @@ -192,7 +193,7 @@ jobs: renode_multimem_smallstack: name: renode-multimem-smallstack - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 timeout-minutes: 45 permissions: @@ -318,7 +319,7 @@ jobs: renode_multimem_smallstack_fastmath: name: renode-multimem-smallstack-fastmath - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 timeout-minutes: 45 permissions: @@ -426,7 +427,7 @@ jobs: renode_multimem_smallstack_noasm: name: renode-multimem-smallstack-noasm - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 timeout-minutes: 45 permissions: diff --git a/.github/workflows/wolfsm.yml b/.github/workflows/wolfsm.yml index d0d39e254ab..36748af3a90 100644 --- a/.github/workflows/wolfsm.yml +++ b/.github/workflows/wolfsm.yml @@ -3,8 +3,9 @@ name: wolfSM Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -26,7 +27,7 @@ jobs: '--enable-all --enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm', ] name: make check - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-24.04 timeout-minutes: 10 steps: diff --git a/.github/workflows/xcode.yml b/.github/workflows/xcode.yml index 4799aa41fe1..733d4b33f5e 100644 --- a/.github/workflows/xcode.yml +++ b/.github/workflows/xcode.yml @@ -3,8 +3,9 @@ name: Xcode Build Tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -14,7 +15,7 @@ concurrency: jobs: build: - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: macos-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 diff --git a/.github/workflows/zephyr-4.x.yml b/.github/workflows/zephyr-4.x.yml index 203ec2a48e5..ac5358dff78 100644 --- a/.github/workflows/zephyr-4.x.yml +++ b/.github/workflows/zephyr-4.x.yml @@ -3,8 +3,9 @@ name: Zephyr 4.x tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -15,7 +16,7 @@ concurrency: jobs: build: name: ${{ matrix.zephyr-ref }} | ${{ matrix.board }} | ${{ matrix.sample }}${{ matrix.extra-conf != '' && ' | extlibc' || '' }} - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 timeout-minutes: 60 strategy: diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index 1ce15098a9a..ca31d82776f 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -3,8 +3,9 @@ name: Zephyr tests # START OF COMMON SECTION on: push: - branches: [ 'master', 'main', 'release/**' ] + branches: [ 'release/**' ] pull_request: + types: [opened, synchronize, reopened, ready_for_review] branches: [ '*' ] concurrency: @@ -25,7 +26,7 @@ jobs: zephyr-sdk: 0.16.3 - zephyr-ref: v2.7.4 zephyr-sdk: 0.16.3 - if: github.repository_owner == 'wolfssl' + if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} runs-on: ubuntu-22.04 # This should be a safe limit for the tests to run. timeout-minutes: 45 diff --git a/Makefile.am b/Makefile.am index fce812babf5..74a82515902 100644 --- a/Makefile.am +++ b/Makefile.am @@ -149,6 +149,7 @@ EXTRA_DIST+= wolfssl64.sln EXTRA_DIST+= valgrind-error.sh EXTRA_DIST+= valgrind-bash.supp EXTRA_DIST+= fips-hash.sh +EXTRA_DIST+= .github/scripts/check-source-text.sh EXTRA_DIST+= gencertbuf.pl EXTRA_DIST+= README.md EXTRA_DIST+= README-async.md From 6605060b18e3a3cfb67aba10f67c93a4b56a645d Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 21 May 2026 13:59:18 -0700 Subject: [PATCH 2/2] CI: more smoke coverage + header self-sufficiency - Add AddressSanitizer entry to smoke matrix (--enable-all + -fsanitize=address). - Add check-headers workflow: 214 public wolfssl/*.h compile standalone. - Fix quic.h, rng_bank.h, Renesas/renesas-fspsm-crypt.h to be self-sufficient. - Remove no-tls.yml (its single config is already covered by os-check.yml). --- .github/scripts/check-headers.sh | 99 +++++++++++++++++++ .github/workflows/check-headers.yml | 43 ++++++++ .github/workflows/no-tls.yml | 50 ---------- .github/workflows/smoke-test.yml | 24 ++++- wolfssl/quic.h | 16 ++- .../port/Renesas/renesas-fspsm-crypt.h | 1 + wolfssl/wolfcrypt/rng_bank.h | 1 + 7 files changed, 171 insertions(+), 63 deletions(-) create mode 100755 .github/scripts/check-headers.sh create mode 100644 .github/workflows/check-headers.yml delete mode 100644 .github/workflows/no-tls.yml diff --git a/.github/scripts/check-headers.sh b/.github/scripts/check-headers.sh new file mode 100755 index 00000000000..33bdd7f3453 --- /dev/null +++ b/.github/scripts/check-headers.sh @@ -0,0 +1,99 @@ +#!/usr/bin/env bash +# +# check-headers.sh +# +# Verifies that every public-facing wolfSSL header compiles standalone +# from a fresh consumer's perspective: +# +# #include +# #include +# int main(void) { return 0; } +# +# Catches the common breakage where a header silently relies on a +# transitive include from an earlier `.c` file and stops compiling +# when downstream code includes it first. +# +# Requires: +# * ./configure has been run (so wolfssl/options.h exists). +# * gcc and standard build env. +# +# Usage: +# .github/scripts/check-headers.sh # scan default header set +# .github/scripts/check-headers.sh # scan a specific list + +set -u + +ROOT="$(git rev-parse --show-toplevel)" +cd "$ROOT" || exit 2 + +if [ ! -f wolfssl/options.h ]; then + echo "::error::wolfssl/options.h not found - run ./configure first" >&2 + exit 2 +fi + +CC="${CC:-gcc}" +GHA="${GITHUB_ACTIONS:-}" + +emit() { + local file="$1" msg="$2" + if [ -n "$GHA" ]; then + printf '::error file=%s,line=1,title=header-self-include::%s\n' "$file" "$msg" + else + printf '%s: %s\n' "$file" "$msg" + fi +} + +# Default scope: public wolfssl headers excluding vendor/port subdirs and +# files that are intentionally not standalone-includable. +if [ "$#" -gt 0 ]; then + HEADERS=("$@") +else + # Exclusions: + # * generated / private / test-data headers. + # * wolfcrypt math backends (tfm vs sp_int are mutually exclusive). + # * port/* headers whose first-line vendor SDK include can't be + # satisfied in a generic CI environment (mcapi.h, kcapi.h, + # em_device.h, fsl_dcp.h, hw/inout.h, etc.) or that reference + # vendor-only types. Fix the offending header's vendor #include + # with an #ifdef guard and drop the exclusion in a follow-up. + mapfile -t HEADERS < <( + git ls-files 'wolfssl/*.h' 'wolfssl/wolfcrypt/*.h' \ + 'wolfssl/wolfcrypt/port/**/*.h' 'wolfssl/openssl/*.h' \ + | grep -vE '^wolfssl/(options|internal|certs_test|certs_test_sm|debug-trace-error-codes|debug-untrace-error-codes)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/(fips_test|selftest|tfm)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/aria/aria-crypt(ocb)?\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/autosar/(CryIf|Crypto)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/caam/(caam_driver|caam_qnx|wolfcaam_hash)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/kcapi/' \ + | grep -vE '^wolfssl/wolfcrypt/port/nxp/(dcp_port|se050_port)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/Renesas/(renesas_fspsm_internal|renesas-rx64-hw-crypt|renesas-tsip-crypt|renesas_tsip_internal)\.h$' \ + | grep -vE '^wolfssl/wolfcrypt/port/silabs/silabs_aes\.h$' + ) +fi + +TMPDIR="$(mktemp -d)" +trap 'rm -rf "$TMPDIR"' EXIT + +FAIL=0 +PASS=0 +for h in "${HEADERS[@]}"; do + [ -f "$h" ] || continue + cat > "$TMPDIR/test.c" < +#include <$h> +int main(void) { return 0; } +EOF + if out="$("$CC" -I. -c -o /dev/null "$TMPDIR/test.c" 2>&1)"; then + PASS=$((PASS + 1)) + else + FAIL=$((FAIL + 1)) + first_err="$(printf '%s' "$out" | grep -E 'error:' | head -1 | sed 's/.*error: //')" + emit "$h" "header does not compile standalone: ${first_err:-(see build log)}" + if [ -z "$GHA" ]; then + printf '%s\n' "$out" | head -8 | sed 's/^/ /' + fi + fi +done + +echo "check-headers: $PASS pass, $FAIL fail" +[ "$FAIL" -eq 0 ] diff --git a/.github/workflows/check-headers.yml b/.github/workflows/check-headers.yml new file mode 100644 index 00000000000..dbc3aa61512 --- /dev/null +++ b/.github/workflows/check-headers.yml @@ -0,0 +1,43 @@ +name: Check Headers + +# Verifies every public-facing wolfSSL header compiles standalone with +# only wolfssl/options.h included first. Catches the common breakage +# where a header silently relies on a transitive include from an +# earlier .c file and stops compiling from a fresh consumer. +# +# Runs on drafts (fast static check). + +on: + push: + branches: [ master, main ] + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: [ master, main ] + +concurrency: + group: check-headers-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + check: + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + - name: Install dependencies + uses: ./.github/actions/install-apt-deps + with: + packages: autoconf automake libtool build-essential + + - name: autogen + run: ./autogen.sh + + - name: configure --enable-all + run: ./configure --enable-all + + - name: Run check-headers + run: ./.github/scripts/check-headers.sh diff --git a/.github/workflows/no-tls.yml b/.github/workflows/no-tls.yml deleted file mode 100644 index cbc48344415..00000000000 --- a/.github/workflows/no-tls.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: --disable-tls Tests - -# START OF COMMON SECTION -on: - push: - branches: [ 'release/**' ] - pull_request: - types: [opened, synchronize, reopened, ready_for_review] - branches: [ '*' ] - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -# END OF COMMON SECTION - -jobs: - make_check: - strategy: - matrix: - config: [ - # Add new configs here - '--disable-tls --enable-all CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', - ] - name: make check - if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} - runs-on: ubuntu-24.04 - # This should be a safe limit for the tests to run. - timeout-minutes: 6 - steps: - - uses: actions/checkout@v4 - name: Checkout wolfSSL - - - name: Test wolfSSL - run: | - ./autogen.sh - ./configure ${{ matrix.config }} - make -j 4 - make check - - - name: Print errors - if: ${{ failure() }} - run: | - for file in scripts/*.log - do - if [ -f "$file" ]; then - echo "${file}:" - cat "$file" - echo "========================================================================" - fi - done diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 5e9c7ac4666..8c2f875c09a 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -62,6 +62,12 @@ jobs: args: "--enable-psk --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-aesccm --enable-opensslextra" - name: integration args: "--enable-openssh --enable-lighty --enable-stunnel --enable-opensslextra" + # AddressSanitizer (UBSAN excluded - current master has known + # left-shift UB in auto-generated SP math). + - name: sanitize-asan + args: "--enable-all" + cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1" + ldflags: "-fsanitize=address" env: MAKE_CFLAGS: "-Werror" steps: @@ -111,10 +117,20 @@ jobs: if: steps.merge_check.outputs.skip != 'true' run: ./configure ${{ matrix.config.args }} - - name: make (CFLAGS=-Werror) + - name: make if: steps.merge_check.outputs.skip != 'true' - run: make -j$(nproc) CFLAGS="$MAKE_CFLAGS" + env: + ENTRY_CFLAGS: ${{ matrix.config.cflags }} + ENTRY_LDFLAGS: ${{ matrix.config.ldflags }} + run: | + FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}" + make -j"$(nproc)" CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS" - - name: make check (CFLAGS=-Werror) + - name: make check if: steps.merge_check.outputs.skip != 'true' - run: make check CFLAGS="$MAKE_CFLAGS" + env: + ENTRY_CFLAGS: ${{ matrix.config.cflags }} + ENTRY_LDFLAGS: ${{ matrix.config.ldflags }} + run: | + FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}" + make check CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS" diff --git a/wolfssl/quic.h b/wolfssl/quic.h index a644b6d3d29..cdce23ca494 100644 --- a/wolfssl/quic.h +++ b/wolfssl/quic.h @@ -35,13 +35,10 @@ #ifndef NO_STDINT_H #include #endif +#include /* size_t */ -/* QUIC operates on three encryption levels which determine - * which keys/algos are used for de-/encryption. These are - * kept separately for incoming and outgoing data and. - * Due to the nature of UDP, more than one might be in use - * at the same time due to resends or out-of-order arrivals. - */ +/* Defined before ssl.h: openssl/ssl.h pulls quic.h mid-include and + * references WOLFSSL_ENCRYPTION_LEVEL and WOLFSSL_QUIC_METHOD. */ typedef enum wolfssl_encryption_level_t { wolfssl_encryption_initial = 0, wolfssl_encryption_early_data, @@ -49,11 +46,12 @@ typedef enum wolfssl_encryption_level_t { wolfssl_encryption_application } WOLFSSL_ENCRYPTION_LEVEL; - -/* All QUIC related callbacks to the application. - */ typedef struct wolfssl_quic_method_t WOLFSSL_QUIC_METHOD; +#include + + +/* All QUIC related callbacks to the application. */ struct wolfssl_quic_method_t { /** * Provide secrets to the QUIC stack when they become available in the SSL diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h b/wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h index 71d8dbf295d..8a3bd25e206 100644 --- a/wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h +++ b/wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h @@ -22,6 +22,7 @@ #define __RENESAS_FSPSM_CRYPT_H__ #include +#include /* uint8_t */ #ifdef __cplusplus extern "C" { diff --git a/wolfssl/wolfcrypt/rng_bank.h b/wolfssl/wolfcrypt/rng_bank.h index d26b41a5e55..bdc8577fdc4 100644 --- a/wolfssl/wolfcrypt/rng_bank.h +++ b/wolfssl/wolfcrypt/rng_bank.h @@ -32,6 +32,7 @@ #define WOLF_CRYPT_RNG_BANK_H #include +#include #ifdef WC_RNG_BANK_SUPPORT