-
Notifications
You must be signed in to change notification settings - Fork 33
308 lines (274 loc) · 12.8 KB
/
build-wolfprovider.yml
File metadata and controls
308 lines (274 loc) · 12.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
name: Build wolfProvider
on:
workflow_call:
inputs:
wolfssl_ref:
required: true
type: string
openssl_ref:
required: true
type: string
fips_ref:
required: false
type: string
replace_default:
required: false
type: boolean
default: false
build_type:
required: false
type: string
default: debian
jobs:
build_wolfprovider_common:
name: Build wolfProvider
runs-on: ubuntu-22.04
# Grant permissions to read packages from ghcr.io
permissions:
contents: read
packages: read
# Run inside Debian Bookworm using container from ghcr.io/wolfssl/build-wolfprovider-debian:bookworm
# We are using this container to avoid having to install all the dependencies on the host machine
# and speed up the build process.
# Note: Docker image paths must be lowercase even though the GitHub org is wolfSSL
container:
image: ghcr.io/wolfssl/build-wolfprovider-debian:bookworm
env:
DEBIAN_FRONTEND: noninteractive
# Add network capabilities so ifconfig/RTNETLINK operations are permitted
# These are passed to `docker run` as runtime options
options: --cap-add=NET_ADMIN --cap-add=NET_RAW
timeout-minutes: 20
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
YOCTO_IMAGES_PATH: /tmp/yocto-images
steps:
# Compute artifact name for both check and upload steps
- name: Prepare artifact name
id: prepare_artifact_name
run: |
if [ "${{ inputs.fips_ref }}" = "FIPS" ]; then
FIPS_STR="fips"
else
FIPS_STR="nonfips"
fi
if [ "${{ inputs.replace_default }}" = "true" ]; then
CONFIG_STR="replace-default"
else
CONFIG_STR="standalone"
fi
if [ "${{ inputs.build_type }}" = "yocto" ]; then
ARTIFACT_NAME="yocto-image-${FIPS_STR}-${CONFIG_STR}"
else
ARTIFACT_NAME="debian-packages-${{ inputs.fips_ref }}${{ inputs.replace_default && '-replace-default' || '' }}-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}"
fi
echo "artifact_name=${ARTIFACT_NAME}" >> $GITHUB_OUTPUT
echo "fips_str=${FIPS_STR}" >> $GITHUB_OUTPUT
echo "config_str=${CONFIG_STR}" >> $GITHUB_OUTPUT
# Check if artifact already exists from another job in the same workflow run
# When multiple matrix jobs run in parallel, the first one to finish uploads the artifact
# Other jobs can then find it and skip rebuilding (no need to download it, just check it exists)
- name: Check for existing artifact from same run
id: check_artifact
continue-on-error: true
uses: actions/download-artifact@v4
with:
name: ${{ steps.prepare_artifact_name.outputs.artifact_name }}
# ── ORAS setup (shared by both debian and yocto builds) ──
# Artifacts are stored as OCI packages on ghcr.io, pushed by Jenkins.
# NOTE: If packages are private, the package settings on ghcr.io must grant
# access to the wolfSSL/wolfProvider repository for GITHUB_TOKEN to work.
- name: Install ORAS
if: steps.check_artifact.outcome != 'success'
run: |
ORAS_VERSION="1.2.2"
ORAS_CHECKSUM="bff970346470e5ef888e9f2c0bf7f8ee47283f5a45207d6e7a037da1fb0eae0d"
curl -sLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
echo "${ORAS_CHECKSUM} oras_${ORAS_VERSION}_linux_amd64.tar.gz" | sha256sum -c - || {
echo "ERROR: ORAS checksum verification failed!"
exit 1
}
mkdir -p "$GITHUB_WORKSPACE/.bin"
tar xzf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C "$GITHUB_WORKSPACE/.bin/" oras
echo "$GITHUB_WORKSPACE/.bin" >> $GITHUB_PATH
rm -f "oras_${ORAS_VERSION}_linux_amd64.tar.gz"
"$GITHUB_WORKSPACE/.bin/oras" version
- name: Login to ghcr.io
if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider'
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | oras login \
--username ${{ github.repository_owner }} \
--password-stdin ghcr.io
# ── Debian build: pull .deb packages from ghcr.io ──
- name: Download pre-built packages from ghcr.io
if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'debian'
run: |
mkdir -p ${{ env.WOLFSSL_PACKAGES_PATH }}
mkdir -p ${{ env.OPENSSL_PACKAGES_PATH }}
# Pull wolfSSL packages based on FIPS variant
if [ "${{ inputs.fips_ref }}" = "FIPS" ]; then
echo "Pulling FIPS wolfSSL packages..."
oras pull ghcr.io/wolfssl/wolfprovider/debs:fips \
-o ${{ env.WOLFSSL_PACKAGES_PATH }}
else
echo "Pulling non-FIPS wolfSSL packages..."
oras pull ghcr.io/wolfssl/wolfprovider/debs:nonfips \
-o ${{ env.WOLFSSL_PACKAGES_PATH }}
fi
# Pull OpenSSL packages based on replace_default setting
if [ "${{ inputs.replace_default }}" = "true" ]; then
echo "Pulling OpenSSL replace-default packages..."
oras pull ghcr.io/wolfssl/wolfprovider/debs:openssl-replace-default \
-o ${{ env.OPENSSL_PACKAGES_PATH }}
else
echo "Pulling OpenSSL default packages..."
oras pull ghcr.io/wolfssl/wolfprovider/debs:openssl-default \
-o ${{ env.OPENSSL_PACKAGES_PATH }}
fi
# Validate that we actually got .deb files
WOLFSSL_COUNT=$(find ${{ env.WOLFSSL_PACKAGES_PATH }} -name "*.deb" 2>/dev/null | wc -l)
OPENSSL_COUNT=$(find ${{ env.OPENSSL_PACKAGES_PATH }} -name "*.deb" 2>/dev/null | wc -l)
if [ "$WOLFSSL_COUNT" -eq 0 ]; then
echo "ERROR: No wolfSSL .deb packages found after pull from ghcr.io"
echo "Check that Jenkins debian-export job has pushed packages"
exit 1
fi
if [ "$OPENSSL_COUNT" -eq 0 ]; then
echo "ERROR: No OpenSSL .deb packages found after pull from ghcr.io"
echo "Check that Jenkins debian-export job has pushed packages"
exit 1
fi
echo ""
echo "Packages ready for installation:"
echo "wolfSSL packages ($WOLFSSL_COUNT .deb files):"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
echo ""
echo "OpenSSL packages ($OPENSSL_COUNT .deb files):"
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
# ── Yocto build: pull WIC images from ghcr.io ──
- name: Install xz-utils
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'yocto'
run: |
apt-get update
apt-get install -y xz-utils
- name: Download WIC images from ghcr.io
if: steps.check_artifact.outcome != 'success' && github.repository == 'wolfSSL/wolfProvider' && inputs.build_type == 'yocto'
run: |
mkdir -p ${{ env.YOCTO_IMAGES_PATH }}
TAG="${{ steps.prepare_artifact_name.outputs.fips_str }}-${{ steps.prepare_artifact_name.outputs.config_str }}"
echo "Pulling ghcr.io/wolfssl/wolfprovider/wics:${TAG}..."
oras pull "ghcr.io/wolfssl/wolfprovider/wics:${TAG}" \
-o ${{ env.YOCTO_IMAGES_PATH }}
cd ${{ env.YOCTO_IMAGES_PATH }}
# Validate we got something from ghcr.io
FILE_COUNT=$(ls -1 2>/dev/null | wc -l)
if [ "$FILE_COUNT" -eq 0 ]; then
echo "ERROR: No files found after pull from ghcr.io"
echo "Check that Jenkins yocto-wic-export job has pushed images for tag: ${TAG}"
exit 1
fi
# Reassemble split files if present (Jenkins splits files >45MB)
if ls *.wic.xz.part-* 1>/dev/null 2>&1; then
echo "Reassembling split WIC files..."
for part_000 in *.wic.xz.part-000; do
BASE_NAME=$(echo "$part_000" | sed 's/\.part-000$//')
# Sort numerically to ensure correct order
ls -1 ${BASE_NAME}.part-* | sort > /tmp/parts_list.txt
cat $(cat /tmp/parts_list.txt) > ${BASE_NAME}
rm -f ${BASE_NAME}.part-*
echo "Reassembled: ${BASE_NAME}"
done
fi
# Decompress
if ls *.wic.xz 1>/dev/null 2>&1; then
echo "Decompressing WIC images..."
for f in *.wic.xz; do unxz -v "$f"; done
fi
# Validate we have a usable .wic file
WIC_COUNT=$(ls -1 *.wic 2>/dev/null | wc -l)
if [ "$WIC_COUNT" -eq 0 ]; then
echo "ERROR: No .wic files after decompression"
exit 1
fi
echo ""
echo "WIC image ready ($WIC_COUNT file(s)):"
ls -lah ${{ env.YOCTO_IMAGES_PATH }}
# ── Debian build: install packages and build wolfProvider ──
- name: Install OpenSSL and wolfSSL packages
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
run: |
echo "Installing OpenSSL and wolfSSL packages (${{ inputs.fips_ref }})..."
# Install OpenSSL packages first
if [ -n "$(ls -A ${{ env.OPENSSL_PACKAGES_PATH }}/*.deb 2>/dev/null)" ]; then
echo "Installing OpenSSL packages..."
dpkg -i ${{ env.OPENSSL_PACKAGES_PATH }}/*.deb || true
fi
# Install wolfSSL packages
if [ -n "$(ls -A ${{ env.WOLFSSL_PACKAGES_PATH }}/*.deb 2>/dev/null)" ]; then
echo "Installing wolfSSL packages..."
dpkg -i ${{ env.WOLFSSL_PACKAGES_PATH }}/*.deb || true
fi
# Fix any dependency issues
apt-get install -f -y
echo ""
echo "Packages installed successfully:"
echo "OpenSSL:"
dpkg -l | grep openssl || echo " No OpenSSL packages found"
echo ""
echo "wolfSSL:"
dpkg -l | grep wolfssl || echo " No wolfSSL packages found"
- name: Checkout wolfProvider
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
uses: actions/checkout@v4
with:
fetch-depth: 1
# Avoid "detected dubious ownership" warning
- name: Ensure the working directory safe
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Install wolfProvider
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
run: |
$GITHUB_WORKSPACE/debian/install-wolfprov.sh ${{ inputs.fips_ref == 'FIPS' && '--fips' || '' }} ${{ env.WOLFPROV_PACKAGES_PATH }}
- name: Setup packages directory
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
run: |
mkdir -p ${{ env.WOLFPROV_PACKAGES_PATH }}
# Copy wolfProvider packages (built in previous step)
cp $GITHUB_WORKSPACE/../libwolfprov*.deb ${{ env.WOLFPROV_PACKAGES_PATH }}
cp $GITHUB_WORKSPACE/../libwolfprov*.dsc ${{ env.WOLFPROV_PACKAGES_PATH }}
cp $GITHUB_WORKSPACE/../libwolfprov*.tar.gz ${{ env.WOLFPROV_PACKAGES_PATH }}
# Note: OpenSSL and wolfSSL packages already downloaded from ghcr.io earlier
printf "Listing packages directory:\n"
echo "wolfProvider packages:"
ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
echo ""
echo "wolfSSL packages:"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
echo ""
echo "OpenSSL packages:"
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
# ── Artifact uploads ──
# Save all packages as artifacts for consumers (Debian)
- name: Upload wolfProvider packages
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'debian'
uses: actions/upload-artifact@v4
with:
name: ${{ steps.prepare_artifact_name.outputs.artifact_name }}
path: |
${{ env.WOLFSSL_PACKAGES_PATH }}
${{ env.OPENSSL_PACKAGES_PATH }}
${{ env.WOLFPROV_PACKAGES_PATH }}
retention-days: 1
# Save WIC images as artifacts (Yocto)
- name: Upload Yocto WIC images
if: steps.check_artifact.outcome != 'success' && inputs.build_type == 'yocto'
uses: actions/upload-artifact@v4
with:
name: ${{ steps.prepare_artifact_name.outputs.artifact_name }}
path: |
${{ env.YOCTO_IMAGES_PATH }}
retention-days: 1