ci: refactoring cache, openssl

denji · denji · commit a9dbf635c479 · 2026-04-02T09:17:27.000+03:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -52,10 +52,26 @@ jobs:
           - { os: ubuntu-24.04, nginx: "1.29.7", openssl: system, pcre: pcre2 }
 
           # -- Pinned OpenSSL 3.6.1 — exercises the EVP_MAC code path -----------
-          # Built from source; linked statically via --with-openssl= and
-          # --with-openssl-opt=no-shared (prevents the dynamic linker from
-          # falling back to the system OpenSSL at runtime).
-          # Only ubuntu-24.04; only the three currently maintained versions.
+          # OpenSSL is built from source as a static-only (no-shared) install
+          # into ~/openssl, then nginx is pointed at it via --with-cc-opt and
+          # --with-ld-opt only — NOT --with-openssl=<src>.
+          #
+          # Why NOT --with-openssl=<src>:
+          #   nginx's Makefile always injects a bare "-lcrypto" flag before the
+          #   explicit static archive paths in the final link command.  When
+          #   --with-openssl=<src> is used, the search path does not include the
+          #   internal .openssl/lib directory, so that bare flag fails with
+          #   "cannot find -lcrypto" once libssl-dev is absent.
+          #
+          # Why libssl-dev must NOT be installed for these jobs:
+          #   With libssl-dev present, "-lcrypto" resolves to the system's
+          #   libcrypto.so.3 (OpenSSL 3.0.x) regardless of what comes later in
+          #   the link command, producing a binary that runs with the wrong
+          #   version.  Without libssl-dev, "-lcrypto" and "-lssl" resolve
+          #   exclusively to the static archives in ~/openssl/lib64 via the
+          #   -L flag in --with-ld-opt.
+          #
+          # Only ubuntu-24.04; only the three currently maintained nginx versions.
           - { os: ubuntu-24.04, nginx: "1.26.3", openssl: "3.6.1", pcre: pcre2 }
           - { os: ubuntu-24.04, nginx: "1.28.3", openssl: "3.6.1", pcre: pcre2 }
           - { os: ubuntu-24.04, nginx: "1.29.7", openssl: "3.6.1", pcre: pcre2 }
@@ -72,10 +88,20 @@ jobs:
           sudo apt-get install -y --no-install-recommends \
             build-essential \
             zlib1g-dev      \
-            libssl-dev      \
             curl            \
             ca-certificates
 
+      # -----------------------------------------------------------------------
+      # libssl-dev provides the system OpenSSL headers and shared libraries.
+      # It is required for system OpenSSL jobs (headers + libcrypto.so for
+      # nginx's configure feature tests and final linking).
+      #
+      # It must NOT be installed for pinned OpenSSL jobs — see matrix comment.
+      # -----------------------------------------------------------------------
+      - name: Install system OpenSSL headers (system OpenSSL jobs only)
+        if: matrix.openssl == 'system'
+        run: sudo apt-get install -y --no-install-recommends libssl-dev
+
       # -----------------------------------------------------------------------
       # PCRE: NGINX 1.20.x requires PCRE1 (libpcre3-dev).
       #       NGINX 1.26+   uses PCRE2 (libpcre2-dev) by default.
@@ -89,12 +115,32 @@ jobs:
         run: sudo apt-get install -y --no-install-recommends libpcre2-dev
 
       # -----------------------------------------------------------------------
-      # Build a pinned OpenSSL from source when matrix.openssl is not "system".
-      # Installed into ${HOME}/openssl as a static build; the NGINX configure
-      # step links against it via --with-openssl= and --with-openssl-opt=no-shared.
+      # Cache the installed static OpenSSL tree (~/openssl).
+      # Key: version + OS.  Bump -vN to bust manually if needed.
+      #
+      # Note on "Failed to save" warnings: GitHub Actions has no write lock on
+      # cache keys.  When several jobs share the same key and finish concurrently
+      # for the first time, the first writer wins and the rest log a warning.
+      # This is harmless — all jobs read the cache successfully on subsequent
+      # runs.  It is a first-run-only occurrence.
       # -----------------------------------------------------------------------
-      - name: Build OpenSSL ${{ matrix.openssl }} from source
+      - name: Cache OpenSSL ${{ matrix.openssl }} build
         if: matrix.openssl != 'system'
+        id: cache-openssl
+        uses: actions/cache@v4
+        with:
+          path: ~/openssl
+          key: openssl-${{ matrix.openssl }}-${{ matrix.os }}-v1
+
+      # -----------------------------------------------------------------------
+      # Build OpenSSL from source only on cache miss.
+      #
+      # "make build_sw" compiles libraries + CLI only — it skips the full test
+      # suite (200+ binaries) that "make" would build, saving several minutes.
+      # "make install_sw" installs into ~/openssl without docs or man pages.
+      # -----------------------------------------------------------------------
+      - name: Build OpenSSL ${{ matrix.openssl }} from source
+        if: matrix.openssl != 'system' && steps.cache-openssl.outputs.cache-hit != 'true'
         env:
           OPENSSL_VERSION: ${{ matrix.openssl }}
         run: |
@@ -106,9 +152,8 @@ jobs:
           ./Configure --prefix="${HOME}/openssl" \
                       --openssldir="${HOME}/openssl" \
                       no-shared linux-x86_64
-          make -j"$(nproc)"
+          make -j"$(nproc)" build_sw
           make install_sw
-          echo "OPENSSL_SRC=${PWD}" >> "${GITHUB_ENV}"
 
       # -----------------------------------------------------------------------
       - name: Download and extract NGINX ${{ matrix.nginx }}
@@ -133,17 +178,26 @@ jobs:
             --with-cc-opt="-Wall -Wextra -Wno-unused-parameter" \
             2>&1 | tee configure.log
 
+      # -----------------------------------------------------------------------
+      # Pinned OpenSSL: configure nginx using --with-cc-opt / --with-ld-opt
+      # pointing at ~/openssl.  --with-openssl=<src> is intentionally omitted.
+      #
+      # --with-cc-opt: supplies the 3.6.1 headers for compilation.
+      # --with-ld-opt: adds ~/openssl/lib64 to the linker search path so that
+      #   the "-lssl" and "-lcrypto" flags nginx injects resolve to the static
+      #   archives there.  -ldl and -pthread satisfy OpenSSL's own link deps
+      #   when statically linked.
+      # -----------------------------------------------------------------------
       - name: Configure NGINX (pinned OpenSSL ${{ matrix.openssl }})
         if: matrix.openssl != 'system'
         run: |
           cd "${NGINX_SRC}"
           ./configure \
             --with-http_ssl_module  \
             --with-http_v2_module   \
-            --with-openssl="${OPENSSL_SRC}" \
-            --with-openssl-opt=no-shared \
+            --with-cc-opt="-Wall -Wextra -Wno-unused-parameter -I${HOME}/openssl/include" \
+            --with-ld-opt="-L${HOME}/openssl/lib64 -ldl -pthread" \
             --add-module="${GITHUB_WORKSPACE}" \
-            --with-cc-opt="-Wall -Wextra -Wno-unused-parameter" \
             2>&1 | tee configure.log
 
       # -----------------------------------------------------------------------
@@ -165,20 +219,39 @@ jobs:
             ${{ env.NGINX_SRC }}/build.log
 
       # -----------------------------------------------------------------------
+      # Cache cpanm-installed Perl modules (Test::Nginx + ~17 deps).
+      # apt packages (cpanminus, libdigest-*) are fast and not cached.
+      #
+      # Both paths are required:
+      #   /usr/local/share/perl  — pure-Perl modules
+      #   /usr/local/lib/perl5   — XS modules (e.g. List::MoreUtils::XS)
+      #
+      # "Failed to save" on first run: see OpenSSL cache note above — same
+      # mechanism.  Harmless; all parallel jobs on subsequent runs get hits.
+      # -----------------------------------------------------------------------
+      - name: Cache Perl dependencies
+        id: cache-perl
+        uses: actions/cache@v4
+        with:
+          path: |
+            /usr/local/share/perl
+            /usr/local/lib/perl5
+          key: perl-test-nginx-0.32-${{ matrix.os }}-v1
+
       - name: Install Perl test dependencies
         run: |
           sudo apt-get install -y --no-install-recommends \
             cpanminus            \
             libdigest-sha-perl   \
             libdigest-hmac-perl  \
             liburi-perl
-          # Test::Nginx is not packaged in Ubuntu apt repos.
-          sudo cpanm --notest Test::Nginx
+          if [ "${{ steps.cache-perl.outputs.cache-hit }}" != "true" ]; then
+            sudo cpanm --notest Test::Nginx
+          fi
 
       # -----------------------------------------------------------------------
       - name: Verify NGINX binary
-        run: |
-          "${NGINX_SRC}/objs/nginx" -V 2>&1
+        run: "${NGINX_SRC}/objs/nginx" -V 2>&1
 
       # -----------------------------------------------------------------------
       - name: Syntax-check test files
@@ -193,10 +266,7 @@ jobs:
         env:
           TEST_NGINX_BINARY: "${{ env.NGINX_SRC }}/objs/nginx"
           TEST_NGINX_SERVROOT: "${{ runner.temp }}/nginx-test"
-        run: |
-          # Runs all test files: 01_basic.t  02_timestamps.t  03_algorithms.t
-          #                         04_variables.t  05_integration.t
-          prove -I t/lib -v --timer t/
+        run: prove -I t/lib -v --timer t/
 
       # -----------------------------------------------------------------------
       - name: Upload nginx error log on test failure
