Update wolfSSL version in ML-KEM and Thread tests

ejohnstown · ejohnstown · commit 7f08f69bd969 · 2026-05-15T16:56:44.000-07:00
1. Update WOLFSSL_REF to v5.9.1-stable in the ML-KEM and single-thread
   tests (interop-mlkem.yml, singlethread-check.yml).
2. Drop kyber.yml; its coverage is a strict subset of interop-mlkem.yml.
   Fold its push and workflow_dispatch triggers into interop-mlkem.yml so
   ML-KEM still runs on master/release pushes and via manual dispatch.
3. Drop liboqs from the ML-KEM test. It isn't in configure.ac any more.
diff --git a/.github/workflows/interop-mlkem.yml b/.github/workflows/interop-mlkem.yml
@@ -1,40 +1,43 @@
 name: ML-KEM Interop Tests
 
 on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 env:
-  openssh: V_10_2_P1
+  OS_REF: ubuntu-latest
+  WOLFSSL_REF: v5.9.1-stable
+  OPENSSH_REF: V_10_2_P1
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-      matrix:
-        wolfssl: [v5.8.4-stable, master]
     timeout-minutes: 4
     steps:
       - name: Checking cache for wolfSSL
         uses: actions/cache@v5
         id: cache-wolfssl
         with:
           path: build-dir/
-          key: wolfssh-mlkem-wolfssl-${{ matrix.wolfssl }}
+          key: wolfssh-mlkem-wolfssl-${{ env.WOLFSSL_REF }}-${{ env.OS_REF }}
           lookup-only: true
 
       - name: Checkout, build, and install wolfSSL
         if: steps.cache-wolfssl.outputs.cache-hit != 'true'
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           repository: wolfSSL/wolfssl
-          ref: ${{ matrix.wolfssl }}
+          ref: ${{ env.WOLFSSL_REF }}
           path: wolfssl
           configure: --enable-wolfssh --enable-mlkem --enable-ed25519 --enable-ed25519-stream --enable-curve25519 --enable-base64encode --enable-cryptonly --disable-examples --disable-crypttests
           check: false
@@ -50,15 +53,15 @@ jobs:
         id: cache-openssh
         with:
           path: build-dir/
-          key: wolfssh-mlkem-openssh-${{ env.openssh }}
+          key: wolfssh-mlkem-openssh-${{ env.OPENSSH_REF }}
           lookup-only: true
 
-      - name: Checkout, build, and install wolfSSL
+      - name: Checkout, build, and install OpenSSH
         if: steps.cache-openssh.outputs.cache-hit != 'true'
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           repository: openssh/openssh-portable
-          ref: ${{ env.openssh }}
+          ref: ${{ env.OPENSSH_REF }}
           path: openssh
           configure: --with-privsep-path=/tmp/empty
           check: false
@@ -70,47 +73,44 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl: [v5.8.4-stable, master]
         config: [
           '',
           '--enable-smallstack',
         ]
     runs-on: ubuntu-latest
     timeout-minutes: 4
-    env:
-      build_dir: ${{ github.workspace }}/build-dir
     steps:
       - name: Checking cache for wolfSSL
         uses: actions/cache@v5
         with:
           path: build-dir/
-          key: wolfssh-mlkem-wolfssl-${{ matrix.wolfssl }}
+          key: wolfssh-mlkem-wolfssl-${{ env.WOLFSSL_REF }}-${{ env.OS_REF }}
           fail-on-cache-miss: true
 
       - name: Checking cache for OpenSSH
         uses: actions/cache@v5
         with:
           path: build-dir/
-          key: wolfssh-mlkem-openssh-${{ env.openssh }}
+          key: wolfssh-mlkem-openssh-${{ env.OPENSSH_REF }}
           fail-on-cache-miss: true
 
       - name: Checkout, build, and test wolfSSH
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           repository: wolfSSL/wolfssh
           path: wolfssh
-          configure: ${{ matrix.config }} --with-wolfssl=${{ env.build_dir }}
+          configure: ${{ matrix.config }} --with-wolfssl=${{ github.workspace }}/build-dir
           check: true
 
       - name: Make test key
         working-directory: ./wolfssh/
         run: |
-          ${{ env.build_dir }}/bin/ssh-keygen -f $HOME/.ssh/id_ed25519 -N "" -t ed25519
+          ${{ github.workspace }}/build-dir/bin/ssh-keygen -f $HOME/.ssh/id_ed25519 -N "" -t ed25519
           cp $HOME/.ssh/id_ed25519.pub $HOME/.ssh/authorized_keys
 
       - name: Run connect wolfSSH client to OpenSSH server test
         working-directory: ./wolfssh/
         run: |
           mkdir -p /tmp/empty
-          ${{ env.build_dir }}/sbin/sshd -p 22222 -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o KexAlgorithms=mlkem768x25519-sha256
+          ${{ github.workspace }}/build-dir/sbin/sshd -p 22222 -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o KexAlgorithms=mlkem768x25519-sha256
           ./examples/client/client -u $USER -i $HOME/.ssh/id_ed25519 -j $HOME/.ssh/id_ed25519.pub -c "ls /"
diff --git a/.github/workflows/kyber.yml b/.github/workflows/kyber.yml
diff --git a/.github/workflows/singlethread-check.yml b/.github/workflows/singlethread-check.yml
@@ -12,7 +12,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  WOLFSSL_REF: v5.7.0-stable
+  WOLFSSL_REF: v5.9.1-stable
 
 jobs:
   build_wolfssl:
