From 732e20c548d47f732ec08e7c0005acd1064bbc84 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 9 May 2025 17:02:01 -0300 Subject: [PATCH 1/7] ci: manually install OpenSSL 1.1.1w --- .github/actions/install-openssl/action.yml | 35 ++++++++++++ .github/actions/install-ruby/action.yml | 66 ++++++++++++++++++++++ .github/workflows/build.yml | 18 +++++- 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 .github/actions/install-openssl/action.yml create mode 100644 .github/actions/install-ruby/action.yml diff --git a/.github/actions/install-openssl/action.yml b/.github/actions/install-openssl/action.yml new file mode 100644 index 00000000..bc4234a4 --- /dev/null +++ b/.github/actions/install-openssl/action.yml @@ -0,0 +1,35 @@ +name: Install OpenSSL + +inputs: + version: + description: 'The version of OpenSSL to install' + required: true + +runs: + using: 'composite' + steps: + - name: Cache OpenSSL library + id: cache-openssl + uses: actions/cache@v4 + with: + path: ~/openssl + key: openssl-${{ inputs.version }} + + - name: Compile OpenSSL library + if: steps.cache-openssl.outputs.cache-hit != 'true' + shell: bash + run: | + mkdir -p tmp/build-openssl && cd tmp/build-openssl + case ${{ inputs.version }} in + 1.1.*) + OPENSSL_COMMIT=OpenSSL_ + OPENSSL_COMMIT+=$(echo ${{ inputs.version }} | sed -e 's/\./_/g') + git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git . + echo "Git commit: $(git rev-parse HEAD)" + ./Configure --prefix=$HOME/openssl --libdir=lib linux-x86_64 + make depend && make -j4 && make install_sw + ;; + *) + echo "Don't know how to build OpenSSL ${{ inputs.version }}" + ;; + esac diff --git a/.github/actions/install-ruby/action.yml b/.github/actions/install-ruby/action.yml new file mode 100644 index 00000000..33dcb924 --- /dev/null +++ b/.github/actions/install-ruby/action.yml @@ -0,0 +1,66 @@ +name: Install Ruby + +inputs: + version: + description: 'The version of Ruby to install' + required: true + +runs: + using: 'composite' + steps: + - name: Cache Ruby + id: ruby-cache + uses: actions/cache@v4 + with: + path: ~/rubies/ruby-${{ inputs.version }} + key: ruby-${{ inputs.version }}-openssl-1.1.1w + + - name: Install Ruby + if: steps.ruby-cache.outputs.cache-hit != 'true' + shell: bash + run: | + latest_patch=$(curl -s https://cache.ruby-lang.org/pub/ruby/${{ inputs.version }}/ \ + | grep -oP "ruby-${{ inputs.version }}\.\d+\.tar\.xz" \ + | grep -oP "\d+(?=\.tar\.xz)" \ + | sort -V | tail -n 1) + wget https://cache.ruby-lang.org/pub/ruby/${{ inputs.version }}/ruby-${{ inputs.version }}.${latest_patch}.tar.xz + tar -xJvf ruby-${{ inputs.version }}.${latest_patch}.tar.xz + cd ruby-${{ inputs.version }}.${latest_patch} + ./configure --prefix=$HOME/rubies/ruby-${{ inputs.version }} --with-openssl-dir=$HOME/openssl + make + make install + + - name: Update PATH + shell: bash + run: | + echo "~/rubies/ruby-${{ inputs.version }}/bin" >> $GITHUB_PATH + + - name: Install Bundler + shell: bash + run: | + case ${{ inputs.version }} in + 2.7* | 3.*) + echo "Skipping Bundler installation for Ruby ${{ inputs.version }}" + ;; + 2.5* | 2.6*) + gem install bundler -v '~> 2.3.0' + ;; + *) + echo "Don't know how to install Bundler for Ruby ${{ inputs.version }}" + ;; + esac + + - name: Cache Bundler Install + id: bundler-cache + uses: actions/cache@v4 + env: + GEMFILE: ${{ env.BUNDLE_GEMFILE || 'Gemfile' }} + with: + path: ~/bundler/cache + key: bundler-ruby-${{ inputs.version }}-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }} + + - name: Install dependencies + shell: bash + run: | + bundle config set --local path ~/bundler/cache + bundle install diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0c7eaf91..310ecf52 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,10 +31,26 @@ jobs: - truffleruby steps: - uses: actions/checkout@v5 - - uses: ruby/setup-ruby@v1 + + - name: Install OpenSSL + if: matrix.ruby != 'truffleruby' + uses: ./.github/actions/install-openssl + with: + version: "1.1.1w" + + - name: Manually set up Ruby + if: matrix.ruby != 'truffleruby' + uses: ./.github/actions/install-ruby + with: + version: ${{ matrix.ruby }} + + - name: Set up Ruby + if: matrix.ruby == 'truffleruby' + uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true + - run: bundle exec rspec env: RUBYOPT: ${{ startsWith(matrix.ruby, '3.4') && '--enable=frozen-string-literal' || '' }} From 59d5dc87f2493ded4018954f30ccc4c44877a7a5 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 9 May 2025 18:01:42 -0300 Subject: [PATCH 2/7] ci: cache even when job fails --- .github/actions/install-openssl/action.yml | 16 +++++++++--- .github/actions/install-ruby/action.yml | 29 ++++++++++++++++------ 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/.github/actions/install-openssl/action.yml b/.github/actions/install-openssl/action.yml index bc4234a4..f702e7dc 100644 --- a/.github/actions/install-openssl/action.yml +++ b/.github/actions/install-openssl/action.yml @@ -8,15 +8,15 @@ inputs: runs: using: 'composite' steps: - - name: Cache OpenSSL library - id: cache-openssl - uses: actions/cache@v4 + - name: Restore cached OpenSSL library + id: cache-openssl-restore + uses: actions/cache/restore@v4 with: path: ~/openssl key: openssl-${{ inputs.version }} - name: Compile OpenSSL library - if: steps.cache-openssl.outputs.cache-hit != 'true' + if: steps.cache-openssl-restore.outputs.cache-hit != 'true' shell: bash run: | mkdir -p tmp/build-openssl && cd tmp/build-openssl @@ -33,3 +33,11 @@ runs: echo "Don't know how to build OpenSSL ${{ inputs.version }}" ;; esac + + - name: Save OpenSSL library cache + if: steps.cache-openssl-restore.outputs.cache-hit != 'true' + id: cache-openssl-save + uses: actions/cache/save@v4 + with: + path: ~/openssl + key: ${{ steps.cache-openssl-restore.outputs.cache-primary-key }} diff --git a/.github/actions/install-ruby/action.yml b/.github/actions/install-ruby/action.yml index 33dcb924..b684207b 100644 --- a/.github/actions/install-ruby/action.yml +++ b/.github/actions/install-ruby/action.yml @@ -8,15 +8,15 @@ inputs: runs: using: 'composite' steps: - - name: Cache Ruby - id: ruby-cache - uses: actions/cache@v4 + - name: Restore cached Ruby installation + id: cache-ruby-restore + uses: actions/cache/restore@v4 with: path: ~/rubies/ruby-${{ inputs.version }} key: ruby-${{ inputs.version }}-openssl-1.1.1w - name: Install Ruby - if: steps.ruby-cache.outputs.cache-hit != 'true' + if: steps.cache-ruby-restore.outputs.cache-hit != 'true' shell: bash run: | latest_patch=$(curl -s https://cache.ruby-lang.org/pub/ruby/${{ inputs.version }}/ \ @@ -50,17 +50,32 @@ runs: ;; esac + - name: Save Ruby installation cache + if: steps.cache-ruby-restore.outputs.cache-hit != 'true' + id: cache-ruby-save + uses: actions/cache/save@v4 + with: + path: ~/rubies/ruby-${{ inputs.version }} + key: ${{ steps.cache-ruby-restore.outputs.cache-primary-key }} + - name: Cache Bundler Install - id: bundler-cache - uses: actions/cache@v4 + id: cache-bundler-restore + uses: actions/cache/restore@v4 env: GEMFILE: ${{ env.BUNDLE_GEMFILE || 'Gemfile' }} with: path: ~/bundler/cache - key: bundler-ruby-${{ inputs.version }}-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }} + key: bundler-ruby-${{ inputs.version }}-openssl-1.1.1w-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }} - name: Install dependencies shell: bash run: | bundle config set --local path ~/bundler/cache bundle install + + - name: Save Bundler Install cache + id: cache-bundler-save + uses: actions/cache/save@v4 + with: + path: ~/bundler/cache + key: ${{ steps.cache-bundler-restore.outputs.cache-primary-key }} From 202a5763315a46b1b6c9eaf33ea9187cb16a3ebe Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 16 May 2025 12:03:41 -0300 Subject: [PATCH 3/7] ci: avoid harcoding openssl-1.1.1w in install-ruby action --- .github/actions/install-ruby/action.yml | 7 +++++-- .github/workflows/build.yml | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/actions/install-ruby/action.yml b/.github/actions/install-ruby/action.yml index b684207b..bab7374f 100644 --- a/.github/actions/install-ruby/action.yml +++ b/.github/actions/install-ruby/action.yml @@ -4,6 +4,9 @@ inputs: version: description: 'The version of Ruby to install' required: true + openssl-version: + description: 'The version of OpenSSL used' + required: true runs: using: 'composite' @@ -13,7 +16,7 @@ runs: uses: actions/cache/restore@v4 with: path: ~/rubies/ruby-${{ inputs.version }} - key: ruby-${{ inputs.version }}-openssl-1.1.1w + key: ruby-${{ inputs.version }}-${{ inputs.openssl-version }} - name: Install Ruby if: steps.cache-ruby-restore.outputs.cache-hit != 'true' @@ -65,7 +68,7 @@ runs: GEMFILE: ${{ env.BUNDLE_GEMFILE || 'Gemfile' }} with: path: ~/bundler/cache - key: bundler-ruby-${{ inputs.version }}-openssl-1.1.1w-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }} + key: bundler-ruby-${{ inputs.version }}-${{ inputs.openssl-version }}-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }} - name: Install dependencies shell: bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 310ecf52..284b1849 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,6 +43,7 @@ jobs: uses: ./.github/actions/install-ruby with: version: ${{ matrix.ruby }} + openssl-version: "1.1.1w" - name: Set up Ruby if: matrix.ruby == 'truffleruby' From df650996c3ed2c182618c97077e48a5a66912143 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 9 May 2025 17:15:52 -0300 Subject: [PATCH 4/7] ci: run against multiple openssl versions --- .github/actions/install-openssl/action.yml | 12 ++++++++++++ .github/workflows/build.yml | 16 +++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/actions/install-openssl/action.yml b/.github/actions/install-openssl/action.yml index f702e7dc..18deda21 100644 --- a/.github/actions/install-openssl/action.yml +++ b/.github/actions/install-openssl/action.yml @@ -29,6 +29,18 @@ runs: ./Configure --prefix=$HOME/openssl --libdir=lib linux-x86_64 make depend && make -j4 && make install_sw ;; + 3.*) + OPENSSL_COMMIT=openssl- + OPENSSL_COMMIT+=$(echo ${{ inputs.version }}) + git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git . + echo "Git commit: $(git rev-parse HEAD)" + if [[ ${{ inputs.version }} == 3.5* ]]; then + ./Configure --prefix=$HOME/openssl --libdir=lib enable-fips no-tests no-legacy + else + ./Configure --prefix=$HOME/openssl --libdir=lib enable-fips no-tests + fi + make -j4 && make install_sw && make install_fips + ;; *) echo "Don't know how to build OpenSSL ${{ inputs.version }}" ;; diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 284b1849..3aa4dde2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,17 @@ jobs: - '2.7' - '2.6' - '2.5' - - truffleruby + openssl: + - '3.5.3' + - '3.4.2' + - '3.3.4' + - '3.2.5' + - '3.1.8' + - '3.0.17' + - '1.1.1w' + include: + - ruby: truffleruby + steps: - uses: actions/checkout@v5 @@ -36,14 +46,14 @@ jobs: if: matrix.ruby != 'truffleruby' uses: ./.github/actions/install-openssl with: - version: "1.1.1w" + version: ${{ matrix.openssl }} - name: Manually set up Ruby if: matrix.ruby != 'truffleruby' uses: ./.github/actions/install-ruby with: version: ${{ matrix.ruby }} - openssl-version: "1.1.1w" + openssl-version: ${{ matrix.openssl }} - name: Set up Ruby if: matrix.ruby == 'truffleruby' From 470173304bd7358a19acc3352e30d860e9352199 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 9 May 2025 19:01:00 -0300 Subject: [PATCH 5/7] ci: avoid running Ruby 3.0 or older against openssl 3 Those versions do not support OpenSSL 3 so those jobs are failing. For reference: - https://github.com/ruby/openssl/blob/080b21d/README.md#compatibility-and-maintenance-policy - https://www.rubyonmac.dev/openssl-versions-supported-by-ruby --- .github/workflows/build.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3aa4dde2..e47cabb0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,10 +24,6 @@ jobs: - '3.3' - '3.2' - '3.1' - - '3.0' - - '2.7' - - '2.6' - - '2.5' openssl: - '3.5.3' - '3.4.2' @@ -38,6 +34,14 @@ jobs: - '1.1.1w' include: - ruby: truffleruby + - ruby: '3.0' + openssl: '1.1.1w' + - ruby: '2.7' + openssl: '1.1.1w' + - ruby: '2.6' + openssl: '1.1.1w' + - ruby: '2.5' + openssl: '1.1.1w' steps: - uses: actions/checkout@v5 From ac812d3cc96649e988e7e6adef94807ba54f8165 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Wed, 17 Sep 2025 11:52:05 -0300 Subject: [PATCH 6/7] ci: add name to test job This will make it easier to understand which versions of Ruby and OpenSSL are at first sight. --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e47cabb0..dc0fd33a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ on: jobs: test: + name: 'Test Ruby ${{ matrix.ruby }} with OpenSSL ${{ matrix.openssl }}' runs-on: ubuntu-24.04 strategy: fail-fast: false From 380e0d4815b234666493dc2539e01202cf558640 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Thu, 18 Sep 2025 13:53:29 -0300 Subject: [PATCH 7/7] ci: improve readability of ruby cache key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Nicolás Temciuc --- .github/actions/install-ruby/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/install-ruby/action.yml b/.github/actions/install-ruby/action.yml index bab7374f..c46d5f18 100644 --- a/.github/actions/install-ruby/action.yml +++ b/.github/actions/install-ruby/action.yml @@ -16,7 +16,7 @@ runs: uses: actions/cache/restore@v4 with: path: ~/rubies/ruby-${{ inputs.version }} - key: ruby-${{ inputs.version }}-${{ inputs.openssl-version }} + key: ruby-${{ inputs.version }}-with-openssl-${{ inputs.openssl-version }} - name: Install Ruby if: steps.cache-ruby-restore.outputs.cache-hit != 'true'