ci: verify static driver links against OpenSSL 3.0

Add a Makefile target and CI steps that verify the static driver
archive can link against OpenSSL 3.0.2 (our minimum supported
version). The test copies the already-built static archive and
pkg-config metadata into a sysroot alongside OpenSSL 3.0.2 headers
and static libraries from a pinned Launchpad deb, then attempts to
compile and link examples/ssl/ssl.c.

If the build environment was contaminated (e.g. by Homebrew exposing
a newer OpenSSL with IDEA or 3.3+ APIs), the archive will contain
symbol references that don't exist in OpenSSL 3.0 and the link will
fail — catching the regression from issue #455.

The verification runs in both PR CI (after build-integration-test-bin)
and packaging CI (after test-package-deb), since both produce the
static archive in build/.

Author: wprzytula

.github/workflows/build-cpack-packages.yml

@@ -47,6 +47,9 @@ jobs:
       - name: Build and test DEB packages
         run: make test-package-deb
 
+      - name: Verify static driver links against OpenSSL 3.0 (issue #455)
+        run: make verify-openssl-3.0-compat
+
       - name: Collect artifacts
         if: inputs.save-artifacts
         run: make collect-package-artifacts

.github/workflows/build-lint-and-test.yml

@@ -47,6 +47,9 @@ jobs:
         id: build-integration-test-bin
         run: make build-integration-test-bin
 
+      - name: Verify static driver links against OpenSSL 3.0 (issue #455)
+        run: make verify-openssl-3.0-compat
+
       - name: Save integration test binary
         uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         id: save-integration-test-bin

Makefile

@@ -275,6 +275,46 @@ build-integration-test-bin-if-missing:
 	@cd "${BUILD_DIR}"
 	cmake -DCASS_BUILD_INTEGRATION_TESTS=ON -DCMAKE_BUILD_TYPE=Release .. && (make -j 4 || make)
 
+# =============================================================================
+# OpenSSL 3.0 Compatibility Verification
+# =============================================================================
+# Regression test for issue #455: ensures the static driver archive can link
+# against OpenSSL 3.0 (our minimum supported version). Rather than rebuilding
+# from source, this target uses the artifact already produced by the default
+# build (which enables both shared and static). If the archive references
+# symbols only available in OpenSSL >3.0 (e.g. due to build environment
+# contamination), the link fails.
+#
+# This target is Linux/amd64-only (matches our release artifact platform).
+# =============================================================================
+
+OPENSSL_3_0_COMPAT_SYSROOT := /tmp/openssl-3.0-compat-sysroot
+OPENSSL_3_0_LIBSSL_DEV_URL := https://launchpad.net/ubuntu/+archive/primary/+files/libssl-dev_3.0.2-0ubuntu1_amd64.deb
+
+verify-openssl-3.0-compat:
+	@echo "=== Verifying static driver links against OpenSSL 3.0 (issue #455) ==="
+	rm -rf "$(OPENSSL_3_0_COMPAT_SYSROOT)"
+	DESTDIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" cmake --install "$(BUILD_DIR)"
+	curl -fL -o /tmp/libssl-dev_3.0.2.deb "$(OPENSSL_3_0_LIBSSL_DEV_URL)"
+	dpkg-deb -x /tmp/libssl-dev_3.0.2.deb "$(OPENSSL_3_0_COMPAT_SYSROOT)"
+	rm -f "$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/libssl.so"
+	rm -f "$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/libcrypto.so"
+	PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
+	PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
+	pkg-config --libs --static scylladb_static
+	cc \
+		$$(PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
+		   PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
+		   pkg-config --cflags scylladb_static) \
+		examples/ssl/ssl.c \
+		$$(PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
+		   PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
+		   pkg-config --libs --static scylladb_static) \
+		-o /tmp/openssl-3.0-compat-link-test
+	@echo "=== OpenSSL 3.0 compatibility verified ==="
+	rm -rf "$(OPENSSL_3_0_COMPAT_SYSROOT)" \
+		/tmp/libssl-dev_3.0.2.deb /tmp/openssl-3.0-compat-link-test
+
 build-examples:
 	@echo "Building examples to ${EXAMPLES_DIR}"
 	@mkdir "${BUILD_DIR}" >/dev/null 2>&1 || true