-
Notifications
You must be signed in to change notification settings - Fork 21
302 lines (272 loc) · 13.3 KB
/
ci.yml
File metadata and controls
302 lines (272 loc) · 13.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
name: CI
on:
push:
branches: ["master", "main", "develop"]
pull_request:
branches: ["master", "main", "develop"]
# ---------------------------------------------------------------------------
# Concurrency: cancel in-progress runs on the same ref so that only the
# latest commit on a branch is tested when pushes arrive quickly.
# ---------------------------------------------------------------------------
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
name: "nginx-${{ matrix.nginx }} / openssl-${{ matrix.openssl }} / ${{ matrix.os }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
# -----------------------------------------------------------------------
# Explicit include-only matrix — no cross-product, full control.
#
# NGINX version notes:
# 1.20.2 legacy (Aug 2021) — PCRE1 only; ubuntu-22.04 exclusively
# (libpcre3-dev in main, gcc 11 compatible with that vintage).
# 1.26.3 legacy stable branch.
# 1.28.3 current stable (even minor = stable).
# 1.29.7 current mainline (odd minor = mainline).
#
# The "pcre" field is consumed by the install steps below; it does not
# affect the job name shown in the GitHub UI.
# -----------------------------------------------------------------------
include:
# -- Legacy: NGINX 1.20.2, PCRE1, Ubuntu 22.04 only ------------------
- { os: ubuntu-22.04, nginx: "1.20.2", openssl: system, pcre: pcre1 }
# -- Legacy stable: NGINX 1.26.3 -------------------------------------
- { os: ubuntu-22.04, nginx: "1.26.3", openssl: system, pcre: pcre2 }
- { os: ubuntu-24.04, nginx: "1.26.3", openssl: system, pcre: pcre2 }
# -- Current stable: NGINX 1.28.3 ------------------------------------
- { os: ubuntu-22.04, nginx: "1.28.3", openssl: system, pcre: pcre2 }
- { os: ubuntu-24.04, nginx: "1.28.3", openssl: system, pcre: pcre2 }
# -- Mainline: NGINX 1.29.7 -------------------------------------------
- { os: ubuntu-22.04, nginx: "1.29.7", openssl: system, pcre: pcre2 }
- { os: ubuntu-24.04, nginx: "1.29.7", openssl: system, pcre: pcre2 }
# -- Pinned OpenSSL 3.6.1 — exercises the EVP_MAC code path -----------
# OpenSSL is built from source as a static-only (no-shared) install
# into ~/openssl, then nginx is pointed at it via --with-cc-opt and
# --with-ld-opt only — NOT --with-openssl=<src>.
#
# Why NOT --with-openssl=<src>:
# nginx's Makefile always injects a bare "-lcrypto" flag before the
# explicit static archive paths in the final link command. When
# --with-openssl=<src> is used, the search path does not include the
# internal .openssl/lib directory, so that bare flag fails with
# "cannot find -lcrypto" once libssl-dev is absent.
#
# Why libssl-dev must NOT be installed for these jobs:
# With libssl-dev present, "-lcrypto" resolves to the system's
# libcrypto.so.3 (OpenSSL 3.0.x) regardless of what comes later in
# the link command, producing a binary that runs with the wrong
# version. Without libssl-dev, "-lcrypto" and "-lssl" resolve
# exclusively to the static archives in ~/openssl/lib64 via the
# -L flag in --with-ld-opt.
#
# Only ubuntu-24.04; only the three currently maintained nginx versions.
- { os: ubuntu-24.04, nginx: "1.26.3", openssl: "3.6.1", pcre: pcre2 }
- { os: ubuntu-24.04, nginx: "1.28.3", openssl: "3.6.1", pcre: pcre2 }
- { os: ubuntu-24.04, nginx: "1.29.7", openssl: "3.6.1", pcre: pcre2 }
steps:
# -----------------------------------------------------------------------
- name: Checkout module source
uses: actions/checkout@v4
# -----------------------------------------------------------------------
- name: Install system build dependencies
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends \
build-essential \
zlib1g-dev \
curl \
ca-certificates
# -----------------------------------------------------------------------
# libssl-dev provides the system OpenSSL headers and shared libraries.
# It is required for system OpenSSL jobs (headers + libcrypto.so for
# nginx's configure feature tests and final linking).
#
# It must NOT be installed for pinned OpenSSL jobs — see matrix comment.
# -----------------------------------------------------------------------
- name: Install system OpenSSL headers (system OpenSSL jobs only)
if: matrix.openssl == 'system'
run: sudo apt-get install -y --no-install-recommends libssl-dev
# -----------------------------------------------------------------------
# PCRE: NGINX 1.20.x requires PCRE1 (libpcre3-dev).
# NGINX 1.26+ uses PCRE2 (libpcre2-dev) by default.
# -----------------------------------------------------------------------
- name: Install PCRE1 (NGINX 1.20.x legacy)
if: matrix.pcre == 'pcre1'
run: sudo apt-get install -y --no-install-recommends libpcre3-dev
- name: Install PCRE2 (NGINX 1.26+)
if: matrix.pcre == 'pcre2'
run: sudo apt-get install -y --no-install-recommends libpcre2-dev
# -----------------------------------------------------------------------
# Cache the installed static OpenSSL tree (~/openssl).
# Key: version + OS. Bump -vN to bust manually if needed.
#
# Note on "Failed to save" warnings: GitHub Actions has no write lock on
# cache keys. When several jobs share the same key and finish concurrently
# for the first time, the first writer wins and the rest log a warning.
# This is harmless — all jobs read the cache successfully on subsequent
# runs. It is a first-run-only occurrence.
# -----------------------------------------------------------------------
- name: Cache OpenSSL ${{ matrix.openssl }} build
if: matrix.openssl != 'system'
id: cache-openssl
uses: actions/cache@v4
with:
path: ~/openssl
key: openssl-${{ matrix.openssl }}-${{ matrix.os }}-v1
# -----------------------------------------------------------------------
# Build OpenSSL from source only on cache miss.
#
# "make build_sw" compiles libraries + CLI only — it skips the full test
# suite (200+ binaries) that "make" would build, saving several minutes.
# "make install_sw" installs into ~/openssl without docs or man pages.
# -----------------------------------------------------------------------
- name: Build OpenSSL ${{ matrix.openssl }} from source
if: matrix.openssl != 'system' && steps.cache-openssl.outputs.cache-hit != 'true'
env:
OPENSSL_VERSION: ${{ matrix.openssl }}
run: |
curl -fsSL \
"https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" \
-o openssl.tar.gz
tar xf openssl.tar.gz
cd "openssl-${OPENSSL_VERSION}"
./Configure --prefix="${HOME}/openssl" \
--openssldir="${HOME}/openssl" \
no-shared linux-x86_64
make -j"$(nproc)" build_sw
make install_sw
# -----------------------------------------------------------------------
- name: Download and extract NGINX ${{ matrix.nginx }}
env:
NGINX_VERSION: ${{ matrix.nginx }}
run: |
curl -fsSL \
"https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" \
-o nginx.tar.gz
tar xf nginx.tar.gz
echo "NGINX_SRC=${PWD}/nginx-${NGINX_VERSION}" >> "${GITHUB_ENV}"
# -----------------------------------------------------------------------
- name: Configure NGINX (system OpenSSL)
if: matrix.openssl == 'system'
run: |
cd "${NGINX_SRC}"
./configure \
--with-http_ssl_module \
--with-http_v2_module \
--add-module="${GITHUB_WORKSPACE}" \
--with-cc-opt="-Wall -Wextra -Wno-unused-parameter" \
2>&1 | tee configure.log
# -----------------------------------------------------------------------
# Pinned OpenSSL: configure nginx using --with-cc-opt / --with-ld-opt
# pointing at ~/openssl. --with-openssl=<src> is intentionally omitted.
#
# --with-cc-opt: supplies the 3.6.1 headers for compilation.
# --with-ld-opt: adds ~/openssl/lib64 to the linker search path so that
# the "-lssl" and "-lcrypto" flags nginx injects resolve to the static
# archives there. -ldl and -pthread satisfy OpenSSL's own link deps
# when statically linked.
# -----------------------------------------------------------------------
- name: Configure NGINX (pinned OpenSSL ${{ matrix.openssl }})
if: matrix.openssl != 'system'
run: |
cd "${NGINX_SRC}"
./configure \
--with-http_ssl_module \
--with-http_v2_module \
--with-cc-opt="-Wall -Wextra -Wno-unused-parameter -I${HOME}/openssl/include" \
--with-ld-opt="-L${HOME}/openssl/lib64 -ldl -pthread" \
--add-module="${GITHUB_WORKSPACE}" \
2>&1 | tee configure.log
# -----------------------------------------------------------------------
- name: Build NGINX
run: |
cd "${NGINX_SRC}"
make -j"$(nproc)" 2>&1 | tee build.log
ls -lh objs/nginx
objs/nginx -V 2>&1
# -----------------------------------------------------------------------
- name: Upload configure / build logs on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: build-logs-nginx${{ matrix.nginx }}-ossl${{ matrix.openssl }}-${{ matrix.os }}
path: |
${{ env.NGINX_SRC }}/configure.log
${{ env.NGINX_SRC }}/build.log
# -----------------------------------------------------------------------
# Cache cpanm-installed Perl modules (Test::Nginx + ~17 deps).
# apt packages (cpanminus, libdigest-*) are fast and not cached.
#
# Both paths are required:
# /usr/local/share/perl — pure-Perl modules
# /usr/local/lib/perl5 — XS modules (e.g. List::MoreUtils::XS)
#
# "Failed to save" on first run: see OpenSSL cache note above — same
# mechanism. Harmless; all parallel jobs on subsequent runs get hits.
# -----------------------------------------------------------------------
- name: Cache Perl dependencies
id: cache-perl
uses: actions/cache@v4
with:
path: |
/usr/local/share/perl
/usr/local/lib/perl5
key: perl-test-nginx-0.32-${{ matrix.os }}-v1
- name: Install Perl test dependencies
run: |
sudo apt-get install -y --no-install-recommends \
cpanminus \
libdigest-sha-perl \
libdigest-hmac-perl \
liburi-perl
if [ "${{ steps.cache-perl.outputs.cache-hit }}" != "true" ]; then
sudo cpanm --notest Test::Nginx
fi
# -----------------------------------------------------------------------
- name: Verify NGINX binary
run: |
"${NGINX_SRC}/objs/nginx" -V 2>&1
# -----------------------------------------------------------------------
- name: Syntax-check test files
run: |
for f in t/01_basic.t t/02_timestamps.t t/03_algorithms.t \
t/04_variables.t t/05_integration.t; do
perl -I t/lib -c "$f"
done
# -----------------------------------------------------------------------
- name: Run test suite
env:
TEST_NGINX_BINARY: "${{ env.NGINX_SRC }}/objs/nginx"
TEST_NGINX_SERVROOT: "${{ runner.temp }}/nginx-test"
run: prove -I t/lib -v --timer t/
# -----------------------------------------------------------------------
- name: Upload nginx error log on test failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: nginx-error-log-nginx${{ matrix.nginx }}-ossl${{ matrix.openssl }}-${{ matrix.os }}
path: "${{ runner.temp }}/nginx-test/logs/error.log"
# ---------------------------------------------------------------------------
# Lint: cppcheck static analysis — fast, no NGINX source needed.
# ---------------------------------------------------------------------------
lint:
name: "cppcheck static analysis"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install cppcheck
run: sudo apt-get install -y cppcheck
- name: Run cppcheck
run: |
cppcheck \
--enable=all \
--inconclusive \
--std=c99 \
--suppress=missingIncludeSystem \
--suppress=variableScope \
--error-exitcode=1 \
ngx_http_hmac_secure_link_module.c 2>&1