Improve CI workflows: update runner versions, add timeouts, enhance OpenSSL detection (#519)

- Update runners from ubuntu-20.04 to ubuntu-latest, use modern macOS versions
- Add timeout limits to prevent stuck jobs
- Embed OpenSSL path discovery directly in adhoctest.yml
- Update Java test matrix to include Java 25
- Change JDK distribution from temurin to zulu for better compatibility
- Improve macOS OpenSSL detection with unified path logic
- Add Maven cache configuration via setup-java action
- Fix pom.xml test-with-jar profile configuration

Co-authored-by: Cerebras Agent <193945191+isaact-cerebras@users.noreply.github.com>

Author: slachiewicz

.github/workflows/adhoctest.yml

@@ -30,13 +30,14 @@ permissions:
 
 jobs:
   build:
+    timeout-minutes: 5
 
     runs-on: ${{ matrix.os }}
     strategy:
-      max-parallel: 20
+      max-parallel: 10
       matrix:
-        os: [macos-13, macos-14]
-        # os: [macos-11, macos-12, macos-13, ubuntu-20.04, ubuntu-22.04]
+        # https://docs.github.com/en/actions/reference/runners/github-hosted-runners#supported-runners-and-hardware-resources
+        os: [macos-15-intel, macos-26-intel, macos-14, macos-15, macos-26, ubuntu-latest, windows-latest]
       fail-fast: false
 
     steps:
@@ -47,16 +48,73 @@ jobs:
       run: |
         dir "C:\Program Files\OpenSSL*\*"
         dir "C:\Program Files\OpenSSL*\lib\*"
-    - name: Find aes.h on !Windows
+    - name: Find OpenSSL on !Windows
       if: ${{ runner.os != 'Windows' }}
       run: |
-        set +e # want everything to run
-        find /usr -name aes.h -ls || true
-        find /usr -type d -name openssl -ls || true
-        find /opt -name aes.h -ls || true
-        find /opt -type d -name openssl -ls || true
-        ls -l /usr/local/include /usr/local/opt/openssl/include  || true # is this where macos12-13 find aes.h?
-        ls -l /opt/local/include  || true # Try this for macos-14
-        find /usr -type l -name openssl -ls 2>/dev/null
-        find /opt -type l -name openssl -ls 2>/dev/null
+        set +e
+        set -x
+        
+        echo "=== OpenSSL Path Discovery ==="
+        
+        if [[ "$OSTYPE" == "darwin"* ]]; then
+            echo "--- macOS OpenSSL Detection ---"
+            
+            MAC_OS_OPENSSL_DIRS=(
+                "/opt/homebrew/opt/openssl@3"
+                "/opt/homebrew/opt/openssl@1.1"
+                "/usr/local/opt/openssl@3"
+                "/usr/local/opt/openssl@1.1"
+                "/opt/local"
+                "/opt/homebrew"
+                "/usr/local"
+            )
+            
+            MAC_LIB_OPENSSL=""
+            MAC_INC_OPENSSL=""
+            
+            echo "--- Checking directories ---"
+            for dir in "${MAC_OS_OPENSSL_DIRS[@]}"; do
+                lib_dir="$dir/lib"
+                inc_dir="$dir/include"
+                
+                echo "  Checking: $dir"
+                
+                if [[ -d "$lib_dir" ]] && [[ -z "$MAC_LIB_OPENSSL" ]]; then
+                    for lib in "libcrypto.dylib" "libcrypto.3.dylib" "libcrypto.1.1.dylib"; do
+                        if [[ -f "$lib_dir/$lib" ]]; then
+                            MAC_LIB_OPENSSL="$lib_dir"
+                            echo "    Found lib: $lib_dir/$lib"
+                            break
+                        fi
+                    done
+                fi
+                
+                if [[ -d "$inc_dir" ]] && [[ -z "$MAC_INC_OPENSSL" ]] && [[ -f "$inc_dir/openssl/aes.h" ]]; then
+                    MAC_INC_OPENSSL="$inc_dir"
+                    echo "    Found include: $inc_dir/openssl/aes.h"
+                fi
+            done
+            
+            echo "--- Discovery Results ---"
+            if [[ -n "$MAC_LIB_OPENSSL" ]]; then
+                echo "MAC_LIB_OPENSSL=$MAC_LIB_OPENSSL"
+                ls -la "$MAC_LIB_OPENSSL"/libcrypto*.dylib 2>/dev/null || true
+            else
+                echo "MAC_LIB_OPENSSL=NOT_FOUND"
+            fi
+            
+            if [[ -n "$MAC_INC_OPENSSL" ]]; then
+                echo "MAC_INC_OPENSSL=$MAC_INC_OPENSSL"
+                ls -la "$MAC_INC_OPENSSL"/openssl/aes.h 2>/dev/null || true
+            else
+                echo "MAC_INC_OPENSSL=NOT_FOUND"
+            fi
+        else
+            echo "--- Linux OpenSSL Detection ---"
+            find /usr -name aes.h -ls 2>/dev/null || true
+            find /usr -type d -name openssl -ls 2>/dev/null || true
+            find /usr/lib* -name libcrypto.so* -ls 2>/dev/null || true
+        fi
+        
+        echo "=== OpenSSL Binary Locations ==="
         which -a openssl | while read a ;do echo "$a" ; "$a" version -a; echo '======='; done

.github/workflows/benchmarkadhoc.yml

@@ -24,16 +24,16 @@ permissions:
 
 jobs:
   build:
+    timeout-minutes: 5
 
     runs-on: ${{ matrix.os }}
     continue-on-error: ${{ matrix.experimental }}
     strategy:
       max-parallel: 20
       matrix:
-        # macos-latest and ubuntu-latest uses OpenSSL 3 which breaks tests
-        os: [macos-11, ubuntu-20.04, windows-latest]
+        os: [macos-15, ubuntu-latest, windows-latest]
         # Run lowest and highest Java versions only
-        java: [ 8, 21 ]
+        java: [ 8, 21, 25 ]
         experimental: [false]
       fail-fast: false
 
@@ -50,7 +50,7 @@ jobs:
     - name: Set up JDK ${{ matrix.java }}
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
-        distribution: 'temurin'
+        distribution: 'zulu'
         java-version: ${{ matrix.java }}
     - name: OpenSSL version
       run: openssl version -a

.github/workflows/codeql-analysis.yml

@@ -38,14 +38,15 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       actions: read
       contents: read
       security-events: write
 
     strategy:
-      max-parallel: 20
+      max-parallel: 5
       fail-fast: false
       matrix:
         language: [ 'cpp', 'java' ]
@@ -72,7 +73,7 @@ jobs:
       if: ${{ matrix.language == 'java' }}
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
-        distribution: 'temurin'
+        distribution: 'zulu'
         java-version: ${{ matrix.java }}
 
     # Initializes the CodeQL tools for scanning.

.github/workflows/dependency-review.yml

@@ -24,6 +24,7 @@ permissions:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/docker_images.yml

@@ -34,6 +34,7 @@ permissions:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       contents: read
       packages: write

.github/workflows/maven_crosstest.yml

@@ -70,6 +70,7 @@ jobs:
   build-cross-linux:
     needs: cleanup
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -94,26 +95,22 @@ jobs:
   # Use macOS to build its native binaries and package them with the Linux/Windows ones
   package-macos:
     needs: build-cross-linux
-    runs-on: macos-13 # macos-14 does not have Java 8
+    runs-on: macos-15
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          distribution: 'temurin'
-          java-version: 8
+          distribution: 'zulu'
+          java-version: 11
+          cache: 'maven'
           # these values cause the plugin to set up the Maven settings.xml file
           server-id: apache.snapshots.https # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: NEXUS_USER # env variable for username in deploy
           server-password: NEXUS_PW # env variable for token in deploy
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 #v5.0.3
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
       - name: Build on macOS
         run: |
           mvn -V -B -ntp test -DskipTests
@@ -157,19 +154,23 @@ jobs:
   standalone:
     needs: package-macos
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
     # continue-on-error: ${{ matrix.experimental }}
     strategy:
-      max-parallel: 20		
+      max-parallel: 20
       matrix:
         include:
-          - os: macos-13  # macos-14 does not have Java 8
-            java: 8
+          - os: macos-15-intel
+            java: 11
             expectedPath: Mac/x86_64
+          - os: macos-15
+            java: 11
+            expectedPath: Mac/aarch64
           - os: ubuntu-latest
-            java: 8
+            java: 11
             expectedPath: Linux/x86_64
           - os: windows-latest
-            java: 8
+            java: 11
             expectedPath: Windows/x86_64
     steps:
       - name: Checkout code
@@ -185,18 +186,12 @@ jobs:
           fail-on-cache-miss: true
       - name: Show files
         run: ls -l target
-      - name: Cache Maven
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 #v5.0.3
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
       - name: Set up JDK ${{ matrix.java }}
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          distribution: 'temurin'
+          distribution: 'zulu'
           java-version: ${{ matrix.java }}
+          cache: 'maven'
       - name: OpenSSL version (default)
         run: openssl version -a
       - name: OpenSSL engine (macOS)
@@ -214,6 +209,7 @@ jobs:
   test-cross-linux:
     needs: package-macos
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -234,7 +230,7 @@ jobs:
           IMAGE_PREFIX=${IMAGE_PREFIX} docker compose -f src/docker/docker-compose-gh.yaml run --quiet-pull crypto-aarch64-gh \
             src/docker/test_cross.sh -Ptest-with-jar -DOsInfoTest.expectedPath=Linux/aarch64
       - name: Run on riscv64
-        # See https://github.com/java-native-access/jna/issues/1557
+        # locked to 5.12.0 - see https://github.com/java-native-access/jna/issues/1557
         run: |
           IMAGE_PREFIX=${IMAGE_PREFIX} docker compose -f src/docker/docker-compose-gh.yaml run --quiet-pull crypto-riscv64-gh \
             src/docker/test_cross.sh -Ptest-with-jar -DOsInfoTest.expectedPath=Linux/riscv64 -Djna.version=5.12.0

.github/workflows/scorecards-analysis.yml

@@ -32,7 +32,8 @@ jobs:
   analysis:
 
     name: "Scorecards analysis"
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       # Needed to upload the results to the code-scanning dashboard.
       security-events: write

pom.xml

@@ -81,7 +81,7 @@ The following provides more details on the included cryptographic software:
   Running examples (these are under the test tree, so need test scope):
   mvn -q -Dexec.classpathScope=test -Dexec.mainClass=org.apache.commons.crypto.examples.CLASSNAME
     where CLASSNAME is CipherByteArrayExample, CipherByteBufferExample, RandomExample, StreamExample
-  
+
   Additional options
   -Djna.debug_load - debug JNA loading
   -Dcommons.crypto.debug - add some Commons Crypto debugging
@@ -318,11 +318,12 @@ The following provides more details on the included cryptographic software:
             <artifactId>maven-surefire-plugin</artifactId>
             <configuration>
               <classesDirectory>/dev/null</classesDirectory>
+              <testClassesDirectory>${project.build.testOutputDirectory}</testClassesDirectory>
               <additionalClasspathElements>${project.build.directory}/${project.artifactId}-${project.version}.jar</additionalClasspathElements>
             </configuration>
           </plugin>
         </plugins>
-      </build>      
+      </build>
     </profile>
   </profiles>
   <build>
@@ -623,7 +624,7 @@ The following provides more details on the included cryptographic software:
     </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
-      <artifactId>junit-jupiter</artifactId>
+      <artifactId>junit-jupiter-api</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>