ci: test wolfSSL master + latest-stable everywhere via the resolver

_discover-versions.yml now emits wolfssl_ref_array=["master","<latest_stable>"]
instead of a single-element array. Every matrix consumer of that
output -- the 40 OSP workflows already use fromJson on it -- now
iterates both refs.

Wired wolfssl_ref into the matrix of the workflows that were still
using the singular `outputs.wolfssl_ref`:
  - simple.yml: matrix gains wolfssl_ref (now 8 jobs / PR, was 4)
  - cmdline.yml: matrix.wolfssl_ref switches from ['v5.8.4-stable']
    to the array form, also adds a discover_versions job
  - libtss2.yml: matrix.wolfssl_ref added; build step reads it
  - sanitizers.yml: matrix added so ASan+UBSan exercises both refs

The singular `wolfssl_ref` output still resolves to latest-stable for
the few non-matrix consumers (none currently, but the API stays
backwards-compatible).

Nightly OSP now runs every OSP workflow with master AND latest-stable
in parallel, which is the load nightly was built to absorb.

Author: aidangarske

.github/workflows/_discover-versions.yml

@@ -66,12 +66,16 @@ jobs:
           fi
           OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//')
 
-          echo "wolfSSL latest -stable: $WOLFSSL"
+          echo "wolfSSL latest -stable: $WOLFSSL (also testing master)"
           echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)"
 
+          # Matrix consumers iterate the array form, so they exercise
+          # both master and the latest -stable tag every run. Singular
+          # `wolfssl_ref` (still the stable tag) is kept for the few
+          # remaining non-matrix consumers and shell-step interpolation.
           {
             echo "wolfssl_ref=$WOLFSSL"
-            echo "wolfssl_ref_array=[\"$WOLFSSL\"]"
+            echo "wolfssl_ref_array=[\"master\",\"$WOLFSSL\"]"
             echo "openssl_ref=openssl-$OSSL"
             echo "openssl_ref_array=[\"openssl-$OSSL\"]"
           } >> "$GITHUB_OUTPUT"

.github/workflows/cmdline.yml

@@ -25,7 +25,12 @@ concurrency:
 # END OF COMMON SECTION
 
 jobs:
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   cmdtest_test:
+    needs: discover_versions
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: Command line test
     runs-on: ubuntu-22.04
@@ -34,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         openssl_ref: [ 'master', 'openssl-3.5.0' ]
-        wolfssl_ref: [ 'v5.8.4-stable' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
         debug: ['WOLFPROV_DEBUG=1', '']
         # force_fail collapsed into sequential test runs below
     steps:

.github/workflows/libtss2.yml

@@ -28,6 +28,7 @@ jobs:
       fail-fast: false
       matrix:
         tpm2_tss_ref: [ '4.1.3']
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
         openssl_ref: [ 'openssl-3.5.4' ]
         replace_default: [ true ]
     env:
@@ -53,7 +54,7 @@ jobs:
       - name: Build wolfProvider
         run: |
           OPENSSL_TAG=${{ matrix.openssl_ref }} \
-          WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \
+          WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
             ./scripts/build-wolfprovider.sh
 
       - name: Checkout tpm2-tss

.github/workflows/sanitizers.yml

@@ -42,10 +42,15 @@ jobs:
   sanitizers:
     needs: discover_versions
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
-    name: ASan+UBSan (wolfSSL ${{ needs.discover_versions.outputs.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }})
+    name: ASan+UBSan (wolfSSL ${{ matrix.wolfssl_ref }} / ${{ needs.discover_versions.outputs.openssl_ref }})
     runs-on: ubuntu-22.04
     # Sanitizers add ~2-3x to build/test time vs. a plain build.
     timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        # Test master + latest-stable (resolved at run time).
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
     env:
       # Surface every report. halt_on_error=1 fails the first time we
       # touch UB so we don't drown in cascades.
@@ -83,7 +88,7 @@ jobs:
           export WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS:-} ${SAN_FLAGS}"
 
           OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_ref }} \
-          WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \
+          WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
             ./scripts/build-wolfprovider.sh
 
       - name: Run cmd-tests under sanitizers

.github/workflows/simple.yml

@@ -38,8 +38,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # PR matrix: latest-stable wolfssl (resolved at runtime) + newest 3.5
-        # and oldest 3.0 OpenSSL = 2 x 1 x 2 = 4 jobs.
+        # 2 wolfssl (master + latest-stable, resolved at run time) x
+        # newest 3.5 and oldest 3.0 OpenSSL x 2 replace-default = 8 jobs.
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
         openssl_ref: [
           'openssl-3.5.4',
           'openssl-3.0.17']
@@ -57,7 +58,7 @@ jobs:
       - name: Build and test wolfProvider
         run: |
              OPENSSL_TAG=${{ matrix.openssl_ref }} \
-             WOLFSSL_TAG=${{ needs.discover_versions.outputs.wolfssl_ref }} \
+             WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
                ./scripts/build-wolfprovider.sh ${{ matrix.debug }} ${{ matrix.replace_default }}
 
       - name: Print errors