ci: dynamic discover-versions; honest matrix labels (review fix)

The matrix on every Debian-container workflow was claiming
openssl_ref: 'openssl-3.5.4', but the wolfprov .deb on ghcr.io is built
by patching Debian Bookworm's stock libssl3 source -- which is currently
3.0.20. So the matrix label has been lying about what's actually
installed and tested. The wolfssl_ref was likewise pinned and could
drift.

Replaces .github/workflows/_discover-wolfssl.yml with
.github/workflows/_discover-versions.yml that resolves both at run time:

  - wolfSSL latest -stable tag via git ls-remote (same as before).
  - Debian Bookworm's currently-resolvable OpenSSL via
    `docker run --rm debian:bookworm apt-cache madison openssl`,
    stripping the Debian revision suffix.

Outputs both plain (`wolfssl_ref`) and JSON-array (`wolfssl_ref_array`)
forms; matrix consumers use the array form via fromJson.

Wired into every workflow that calls build-wolfprovider.yml (38 heavy
workflows + openssl-version.yml's wolfssl axis + the three workflows
that previously used the wolfssl-only resolver). Each gets a
`discover_versions` job that the build_wolfprovider and test_X jobs
depend on.

Today's resolution: wolfssl=v5.8.4-stable, openssl=openssl-3.0.20.
When Bookworm bumps to 3.0.21 (or whenever) the label tracks
automatically -- no CI edit needed.

Author: aidangarske

.github/workflows/_discover-versions.yml

@@ -0,0 +1,77 @@
+name: Discover wolfSSL + OpenSSL versions
+
+# Reusable workflow that resolves at run time:
+#   - latest wolfSSL v*-stable tag (from upstream wolfssl/wolfssl)
+#   - Debian Bookworm's stock OpenSSL version (matches what the
+#     wolfprov-patched .deb on ghcr.io was built against)
+#
+# Consumers use these outputs to populate matrix values so the
+# matrix labels honestly reflect what the test actually installed.
+# Today: latest -> v5.8.4-stable, openssl -> 3.0.20 (Bookworm stock).
+# When Bookworm bumps OpenSSL or wolfSSL ships a new -stable, the
+# resolver picks it up without a CI edit.
+
+on:
+  workflow_call:
+    outputs:
+      wolfssl_ref:
+        description: 'Plain string, e.g. v5.8.4-stable'
+        value: ${{ jobs.discover.outputs.wolfssl_ref }}
+      wolfssl_ref_array:
+        description: 'JSON array for matrix use, e.g. ["v5.8.4-stable"]'
+        value: ${{ jobs.discover.outputs.wolfssl_ref_array }}
+      openssl_ref:
+        description: 'Plain string, e.g. openssl-3.0.20'
+        value: ${{ jobs.discover.outputs.openssl_ref }}
+      openssl_ref_array:
+        description: 'JSON array for matrix use, e.g. ["openssl-3.0.20"]'
+        value: ${{ jobs.discover.outputs.openssl_ref_array }}
+
+jobs:
+  discover:
+    name: Resolve wolfSSL + OpenSSL refs
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      wolfssl_ref: ${{ steps.resolve.outputs.wolfssl_ref }}
+      wolfssl_ref_array: ${{ steps.resolve.outputs.wolfssl_ref_array }}
+      openssl_ref: ${{ steps.resolve.outputs.openssl_ref }}
+      openssl_ref_array: ${{ steps.resolve.outputs.openssl_ref_array }}
+    steps:
+      - name: Resolve versions
+        id: resolve
+        run: |
+          set -euo pipefail
+
+          # ---- wolfSSL: highest v*-stable tag from upstream ----
+          WOLFSSL=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \
+                     | awk -F/ '{print $NF}' | sort -V | tail -n 1)
+          if [ -z "${WOLFSSL:-}" ]; then
+            echo "::error::Could not resolve latest wolfSSL -stable tag"
+            exit 1
+          fi
+
+          # ---- OpenSSL: whatever Debian Bookworm apt-resolves to ----
+          # The wolfprov-patched .deb on ghcr.io is built by patching
+          # Bookworm's stock libssl3 source, so this is the actual
+          # OpenSSL the Debian-container workflows end up linking against.
+          # Use docker to ask Bookworm's apt directly, then strip the
+          # Debian revision (3.0.20-1~deb12u1 -> 3.0.20).
+          OSSL_RAW=$(docker run --rm debian:bookworm sh -c \
+            'apt-get update -qq >/dev/null 2>&1 && apt-cache madison openssl | head -1' \
+            | awk '{print $3}')
+          if [ -z "${OSSL_RAW:-}" ]; then
+            echo "::error::Could not resolve Bookworm OpenSSL version"
+            exit 1
+          fi
+          OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//')
+
+          echo "wolfSSL latest -stable: $WOLFSSL"
+          echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)"
+
+          {
+            echo "wolfssl_ref=$WOLFSSL"
+            echo "wolfssl_ref_array=[\"$WOLFSSL\"]"
+            echo "openssl_ref=openssl-$OSSL"
+            echo "openssl_ref_array=[\"openssl-$OSSL\"]"
+          } >> "$GITHUB_OUTPUT"

.github/workflows/_discover-wolfssl.yml

@@ -38,8 +38,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -50,15 +54,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
 
   test_bind:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     container:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
       env:
@@ -69,8 +73,8 @@ jobs:
       fail-fast: false
       matrix:
         bind_ref: [ 'v9.18.28' ]
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
     env:

.github/workflows/bind9.yml

@@ -38,8 +38,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -50,15 +54,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
 
   test_cjose:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     # Run inside Debian Bookworm to match packaging environment
     container:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
@@ -71,8 +75,8 @@ jobs:
       matrix:
         # Dont test osp master since it might be unstable
         cjose_ref: [ 'v0.6.2.1' ]
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
     env:

.github/workflows/cjose.yml

@@ -38,8 +38,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -50,15 +54,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
 
   test_curl:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     container:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
       env:
@@ -70,8 +74,8 @@ jobs:
       matrix:
         # PR runs latest curl only. Older refs are exercised at release time.
         curl_ref: [ 'curl-8_4_0' ]
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
         # force_fail collapsed into sequential runs in the test step

.github/workflows/curl.yml

@@ -38,8 +38,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -50,16 +54,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true, false ]
 
   libwolfprov-replace-default:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: libwolfprov ${{ matrix.replace_default && 'replace-default' || 'standalone' }} ${{ matrix.fips_ref }}
     runs-on: ubuntu-22.04
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     # Run inside Debian Bookworm to match packaging environment
     container:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
@@ -70,8 +74,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true, false ]
         # force_fail collapsed into sequential runs in the test step

.github/workflows/debian-package.yml

@@ -36,8 +36,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -48,8 +52,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
 
@@ -60,14 +64,14 @@ jobs:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
       env:
         DEBIAN_FRONTEND: noninteractive
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
         # PR matrix: 2 of 4 key types and 3 iterations.

.github/workflows/git-ssh-dr.yml

@@ -38,8 +38,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  discover_versions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    uses: ./.github/workflows/_discover-versions.yml
+
   build_wolfprovider:
-    needs: wait_for_smoke
+    needs: [wait_for_smoke, discover_versions]
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
@@ -50,15 +54,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
 
   test_grpc:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
-    needs: build_wolfprovider
+    needs: [build_wolfprovider, discover_versions]
     container:
       image: ghcr.io/${{ github.event.pull_request && github.event.pull_request.head.repo.owner.login || github.repository_owner }}/wolfprovider-test-deps:bookworm
       env:
@@ -76,8 +80,8 @@ jobs:
               ssl_transport_security_test ssl_transport_security_utils_test
               test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test
               h2_ssl_cert_test h2_ssl_session_reuse_test
-        wolfssl_ref: [ 'v5.8.4-stable' ]
-        openssl_ref: [ 'openssl-3.5.4' ]
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
         fips_ref: [ 'FIPS', 'non-FIPS' ]
         replace_default: [ true ]
         # force_fail collapsed into sequential runs in the test step