ci: shrink multi-compiler PR matrix, move full coverage to nightly

aidangarske · aidangarske · commit 212fa721f75a · 2026-05-27T13:38:17.000-07:00
PR-time multi-compiler was apt-get update'ing the runner before
installing gcc-X/clang-X. When the runner's apt cache was stale this
hung past the 20m job timeout (e.g. clang-14 in run 26527356013) and
cancelled the whole compiler-matrix run.

Restrict the PR-time matrix to compilers that ship in the test-deps
container (Debian Bookworm: gcc-11, gcc-12, clang-13, clang-14,
clang-15) and run inside the container, so the apt-get step goes
away entirely. Six matrix entries cover the common compiler bases
plus one entry pinned to wolfssl v5.8.0-stable for back-compat.

Dropped from PR-time vs prior matrix: gcc-9, gcc-10, gcc-13, gcc-14,
clang-12 (not in Bookworm or its backports).

To restore that coverage at nightly cadence, add
nightly-multi-compiler.yml which runs the FULL original matrix on
GitHub-hosted Ubuntu runners (22.04 + latest). The verify-or-install
step skips apt-get when the compiler is already on PATH, so most
matrix entries don't apt-get at all and the slow path only fires
when a runner image change drops a pre-installed compiler. Wired
into nightly-osp.yml as 'multi-compiler:' with the matching needs:
entry on the Slack notify job.
diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml
@@ -28,73 +28,46 @@ jobs:
   build_wolfprovider:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: Build with compiler ${{ matrix.CC }}, wolfssl ${{ matrix.wolfssl_ref }}, OpenSSL ${{ matrix.openssl_ref }}
-    runs-on: ${{ matrix.OS }}
+    runs-on: ubuntu-22.04
+    container:
+      image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     timeout-minutes: 20
     strategy:
       fail-fast: false
+      # PR-time matrix is intentionally narrow: only compilers that ship
+      # in Debian Bookworm (the test-deps image base). Dropped vs the
+      # prior matrix: gcc-9, gcc-10, gcc-13, gcc-14, clang-12. Full
+      # cross-compiler coverage (including those) runs in the nightly
+      # multi-compiler job called from nightly-osp.yml.
       matrix:
         include:
-          - CC: gcc-9
-            CXX: g++-9
-            OS: ubuntu-latest
-            wolfssl_ref: master
-            openssl_ref: master
-          - CC: gcc-10
-            CXX: g++-10
-            OS: ubuntu-latest
-            wolfssl_ref: master
-            openssl_ref: master
-          - CC: gcc-10
-            CXX: g++-10
-            OS: ubuntu-latest
-            wolfssl_ref: v5.8.0-stable
-            openssl_ref: master
           - CC: gcc-11
             CXX: g++-11
-            OS: ubuntu-latest
             wolfssl_ref: master
             openssl_ref: master
           - CC: gcc-12
             CXX: g++-12
-            OS: ubuntu-latest
-            wolfssl_ref: master
-            openssl_ref: master
-          - CC: gcc-13
-            CXX: g++-13
-            OS: ubuntu-latest
             wolfssl_ref: master
             openssl_ref: master
-          - CC: gcc-14
-            CXX: g++-14
-            OS: ubuntu-latest
-            wolfssl_ref: master
-            openssl_ref: master
-          - CC: clang-12
-            CXX: clang++-12
-            OS: ubuntu-22.04
-            wolfssl_ref: master
+          - CC: gcc-12
+            CXX: g++-12
+            wolfssl_ref: v5.8.0-stable
             openssl_ref: master
           - CC: clang-13
             CXX: clang++-13
-            OS: ubuntu-22.04
             wolfssl_ref: master
             openssl_ref: master
           - CC: clang-14
             CXX: clang++-14
-            OS: ubuntu-latest
             wolfssl_ref: master
             openssl_ref: master
           - CC: clang-15
             CXX: clang++-15
-            OS: ubuntu-latest
             wolfssl_ref: master
             openssl_ref: master
     steps:
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y ${{ matrix.CC }} ${{ matrix.CXX }} automake libtool
-
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/nightly-multi-compiler.yml b/.github/workflows/nightly-multi-compiler.yml
@@ -0,0 +1,147 @@
+name: Nightly Multi-Compiler Tests
+
+# Runs the FULL multi-compiler matrix (gcc-9..14, clang-12..15) on
+# Ubuntu runners. PR-time multi-compiler.yml is restricted to the
+# compilers that ship in the test-deps container (Debian Bookworm:
+# gcc-11, gcc-12, clang-13..15) to avoid the apt-get hangs that were
+# cancelling PR jobs after 20 minutes. This nightly job restores
+# coverage of the dropped compilers (gcc-9, gcc-10, gcc-13, gcc-14,
+# clang-12) plus everything in between.
+
+on:
+  workflow_call: {}
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build_wolfprovider:
+    name: Nightly build ${{ matrix.CC }} on ${{ matrix.OS }}, wolfssl ${{ matrix.wolfssl_ref }}, OpenSSL ${{ matrix.openssl_ref }}
+    runs-on: ${{ matrix.OS }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - CC: gcc-9
+            CXX: g++-9
+            OS: ubuntu-22.04
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: gcc-10
+            CXX: g++-10
+            OS: ubuntu-22.04
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: gcc-10
+            CXX: g++-10
+            OS: ubuntu-22.04
+            wolfssl_ref: v5.8.0-stable
+            openssl_ref: master
+          - CC: gcc-11
+            CXX: g++-11
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: gcc-12
+            CXX: g++-12
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: gcc-13
+            CXX: g++-13
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: gcc-14
+            CXX: g++-14
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: clang-12
+            CXX: clang++-12
+            OS: ubuntu-22.04
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: clang-13
+            CXX: clang++-13
+            OS: ubuntu-22.04
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: clang-14
+            CXX: clang++-14
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+          - CC: clang-15
+            CXX: clang++-15
+            OS: ubuntu-latest
+            wolfssl_ref: master
+            openssl_ref: master
+    steps:
+      - name: Verify or install compiler
+        run: |
+          # Most matrix compilers are pre-installed on the GitHub-hosted
+          # Ubuntu runners. Only apt-install if the binary isn't already
+          # on PATH - skips the slow `apt-get update` whenever possible.
+          if ! command -v ${{ matrix.CC }} >/dev/null; then
+            sudo apt-get update
+            sudo apt-get install -y ${{ matrix.CC }} ${{ matrix.CXX }}
+          fi
+          ${{ matrix.CC }} --version
+
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Get OpenSSL commit hash
+        id: openssl-ref
+        run: |
+          sha=$(./scripts/resolve-ref.sh "${{ matrix.openssl_ref }}" "openssl/openssl")
+          echo "ref=$sha" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get WolfSSL commit hash
+        id: wolfssl-ref
+        run: |
+          sha=$(./scripts/resolve-ref.sh "${{ matrix.wolfssl_ref }}" "wolfssl/wolfssl")
+          echo "ref=$sha" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checking OpenSSL in cache
+        uses: actions/cache@v4
+        id: openssl-cache
+        with:
+          path: openssl-install
+          key: openssl-depends-${{ matrix.CC }}-${{ steps.openssl-ref.outputs.ref }}
+          lookup-only: false
+
+      - name: Checking WolfSSL in cache
+        uses: actions/cache@v4
+        id: wolfssl-cache
+        with:
+          path: wolfssl-install
+          key: wolfssl-depends-${{ matrix.CC }}-${{ steps.wolfssl-ref.outputs.ref }}
+          lookup-only: false
+
+      - name: Build wolfProvider
+        env:
+          CC: ${{ matrix.CC }}
+          CXX: ${{ matrix.CXX }}
+        run: |
+          OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ]; then
+            cat test-suite.log
+          fi
+          if [ -f config.log ]; then
+            cat config.log
+          fi
diff --git a/.github/workflows/nightly-osp.yml b/.github/workflows/nightly-osp.yml
@@ -62,6 +62,7 @@ jobs:
   x11vnc:         { uses: ./.github/workflows/x11vnc.yml }
   xmlsec:         { uses: ./.github/workflows/xmlsec.yml }
   openssl-version: { uses: ./.github/workflows/openssl-version.yml }
+  multi-compiler: { uses: ./.github/workflows/nightly-multi-compiler.yml }
 
   notify:
     name: Slack notification
@@ -108,6 +109,7 @@ jobs:
       - x11vnc
       - xmlsec
       - openssl-version
+      - multi-compiler
     if: always()
     runs-on: ubuntu-latest
     # Job-level env: step `if:` runs before step `env:` exports.
