Optimize CI for wolfProvider #955
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: KRB5 Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'LICENSE*' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/dependabot.yml' | |
| - '.gitignore' | |
| - 'AUTHORS' | |
| - 'COPYING' | |
| - 'README*' | |
| - 'CHANGELOG*' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| wait_for_smoke: | |
| name: Wait for smoke | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 35 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - uses: ./.github/actions/wait-for-smoke | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| build_wolfprovider: | |
| needs: wait_for_smoke | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| uses: ./.github/workflows/build-wolfprovider.yml | |
| with: | |
| wolfssl_ref: ${{ matrix.wolfssl_ref }} | |
| openssl_ref: ${{ matrix.openssl_ref }} | |
| fips_ref: ${{ matrix.fips_ref }} | |
| replace_default: ${{ matrix.replace_default }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| replace_default: [ true ] | |
| test_krb5: | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| runs-on: ubuntu-22.04 | |
| needs: build_wolfprovider | |
| container: | |
| image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| krb5_ref: [ 'krb5-1.20.1-final' ] | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| replace_default: [ true ] | |
| env: | |
| WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages | |
| OPENSSL_PACKAGES_PATH: /tmp/openssl-packages | |
| WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Download packages from build job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }} | |
| path: /tmp | |
| - name: Install wolfSSL/OpenSSL/wolfprov packages | |
| run: | | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb | |
| # Prevent later 'apt-get install' of test dependencies from | |
| # replacing the wolfprov-patched libssl3, which breaks | |
| # replace-default mode. | |
| apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov | |
| - name: Verify wolfProvider is properly installed | |
| run: | | |
| $GITHUB_WORKSPACE/scripts/verify-install.sh \ | |
| ${{ matrix.replace_default && '--replace-default' || '' }} \ | |
| ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} | |
| - name: Checkout KRB5 | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: krb5/krb5 | |
| path: krb5 | |
| ref: ${{ matrix.krb5_ref }} | |
| fetch-depth: 1 | |
| - name: Checkout OSP | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/osp | |
| path: osp | |
| fetch-depth: 1 | |
| - run: | | |
| cd krb5 | |
| # Apply the wolfProvider patch | |
| if [ "${{ matrix.fips_ref }}" = "FIPS" ]; then | |
| patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/krb5/${{ matrix.krb5_ref }}-wolfprov-fips.patch | |
| else | |
| patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/krb5/${{ matrix.krb5_ref }}-wolfprov.patch | |
| fi | |
| - name: Build and test KRB5 with wolfProvider | |
| working-directory: krb5 | |
| shell: bash | |
| run: | | |
| set +o pipefail # ignore errors from make check | |
| # Build KRB5 | |
| cd src | |
| autoreconf -fiv | |
| ./configure \ | |
| --prefix=$GITHUB_WORKSPACE/krb5-install \ | |
| --with-crypto-impl=openssl \ | |
| --disable-pkinit \ | |
| CFLAGS="-I$GITHUB_WORKSPACE/openssl-install/include" \ | |
| LDFLAGS="-L$GITHUB_WORKSPACE/openssl-install/lib64 -Wl,-rpath=$GITHUB_WORKSPACE/openssl-install/lib64" | |
| make -j$(nproc) | |
| make install | |
| # --- normal mode --- | |
| # Run tests and save output | |
| make check 2>&1 | tee krb5-test-normal.log | |
| TEST_RESULT=${PIPESTATUS[0]} | |
| $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "" krb5 | |
| # --- force-fail mode --- | |
| export WOLFPROV_FORCE_FAIL=1 | |
| # Run tests and save output | |
| make check 2>&1 | tee krb5-test-ff.log | |
| TEST_RESULT=${PIPESTATUS[0]} | |
| $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT "WOLFPROV_FORCE_FAIL=1" krb5 |