From 2f50f8c968cdf30b6c0a1cd1e8b56ac1129145ba Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 16 Jun 2026 10:52:07 +0000 Subject: [PATCH 1/5] CI: drop actions/cache apt-deps layer from install-apt-deps The ci-cache-offload work added a ghcr .deb bundle path to install-apt-deps, making the actions/cache apt-archive layer redundant. Remove it so no apt-deps-* cache entries are produced. Apt packages now install either offline from the ghcr bundle (when ghcr-debs-tag is set) or via plain apt-get with the existing retry/backoff. - Strip the Compute/Restore/Pre-seed/Collect/Save cache steps and the cache-hit fast path; drop the now-unused 'cache' input. - Update callers that passed 'cache': membrowse-onboard, membrowse-report (and the apt_cache matrix key in membrowse-targets.json), and sssd. The ghcr offline path and the ccache actions/cache usage are untouched. --- .github/actions/install-apt-deps/action.yml | 70 +-------------------- .github/membrowse-targets.json | 6 +- .github/workflows/membrowse-onboard.yml | 1 - .github/workflows/membrowse-report.yml | 1 - .github/workflows/sssd.yml | 1 - 5 files changed, 5 insertions(+), 74 deletions(-) diff --git a/.github/actions/install-apt-deps/action.yml b/.github/actions/install-apt-deps/action.yml index 6432392c396..b8cb68b4e4a 100644 --- a/.github/actions/install-apt-deps/action.yml +++ b/.github/actions/install-apt-deps/action.yml @@ -1,5 +1,5 @@ name: 'Install apt dependencies' -description: 'Install apt packages with retry logic and caching' +description: 'Install apt packages with retry logic and an optional offline ghcr bundle' inputs: packages: description: 'Space-separated list of apt packages to install' @@ -16,16 +16,12 @@ inputs: description: 'Pass --no-install-recommends to apt-get install' required: false default: 'false' - cache: - description: 'Cache apt archives (disable for dynamic package names)' - required: false - default: 'true' ghcr-debs-tag: description: > Tag of a prebuilt .deb bundle published to ghcr.io//wolfssl-ci-debs by the ci-deps-image workflow (e.g. "ubuntu-24.04-minimal"). When set, the packages are installed - offline from that bundle and the apt cache path below is skipped; on + offline from that bundle and the apt path below is skipped; on that happy path the apt mirror is not contacted. The offline install is all-or-nothing (a single --no-download install of the whole set), so any failure - bundle missing, not public, or not covering every @@ -39,7 +35,7 @@ runs: # Preferred path: install from a prebuilt .deb bundle pulled from ghcr, # entirely offline (--no-download), so a flaky/timing-out apt mirror # cannot break the build. Best-effort: on any failure we leave - # "satisfied" unset and the apt steps below run unchanged. The bundle + # "satisfied" unset and the apt step below runs unchanged. The bundle # image must be PUBLIC so anonymous `docker pull` works (including from # fork PRs whose GITHUB_TOKEN cannot read private packages). - name: Install from ghcr .deb bundle (offline) @@ -77,40 +73,9 @@ runs: echo "::notice::offline install incomplete for $IMG; using apt" fi - - name: Compute cache key - if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true' - id: cache-key - shell: bash - run: | - SORTED_PKGS=$(echo "${{ inputs.packages }}" | tr ' ' '\n' | sort -u | tr '\n' ' ') - PKG_HASH=$(echo "$SORTED_PKGS" | sha256sum | cut -d' ' -f1 | head -c 16) - OS_VERSION=$(lsb_release -rs 2>/dev/null || echo "unknown") - echo "key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-${PKG_HASH}" >> $GITHUB_OUTPUT - echo "restore-key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-" >> $GITHUB_OUTPUT - - - name: Restore apt cache - if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true' - id: apt-cache - uses: actions/cache/restore@v5 - with: - path: ~/apt-cache - key: ${{ steps.cache-key.outputs.key }} - restore-keys: ${{ steps.cache-key.outputs.restore-key }} - - - name: Pre-seed apt archives from cache - if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true' && steps.ghcr.outputs.satisfied != 'true' - shell: bash - run: | - if [ -d ~/apt-cache ] && ls ~/apt-cache/*.deb >/dev/null 2>&1; then - sudo cp ~/apt-cache/*.deb /var/cache/apt/archives/ - echo "Restored $(ls ~/apt-cache/*.deb | wc -l) cached .deb files" - fi - - name: Install packages if: steps.ghcr.outputs.satisfied != 'true' shell: bash - env: - APT_CACHE_HIT: ${{ steps.apt-cache.outputs.cache-hit }} run: | export DEBIAN_FRONTEND=noninteractive RETRIES=${{ inputs.retries }} @@ -120,17 +85,6 @@ runs: NO_REC="--no-install-recommends" fi - # Fast path: on cache hit the .debs are already pre-seeded into - # /var/cache/apt/archives. Try installing directly first; if that - # fails (e.g. the cached .debs were superseded in the index) fall - # through to the regular update + install path. - if [ "$APT_CACHE_HIT" = "true" ]; then - if sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then - exit 0 - fi - echo "::warning::install from cached .debs failed, falling back to apt-get update" - fi - for i in $(seq 1 $RETRIES); do if sudo apt-get update -q && \ sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then @@ -144,21 +98,3 @@ runs: sleep $DELAY DELAY=$((DELAY * 2)) done - - # PR runs never write the apt cache (no churn); only push/schedule runs - # refresh it. The make-check family does not need it anyway - it installs - # from the ghcr bundle above. - - name: Collect .deb files for cache - if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true' - shell: bash - run: | - mkdir -p ~/apt-cache - cp /var/cache/apt/archives/*.deb ~/apt-cache/ 2>/dev/null || true - echo "Cached $(ls ~/apt-cache/*.deb 2>/dev/null | wc -l) .deb files" - - - name: Save apt cache - if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true' - uses: actions/cache/save@v5 - with: - path: ~/apt-cache - key: ${{ steps.cache-key.outputs.key }} diff --git a/.github/membrowse-targets.json b/.github/membrowse-targets.json index 3fc387f04f4..5c737e83491 100644 --- a/.github/membrowse-targets.json +++ b/.github/membrowse-targets.json @@ -204,8 +204,7 @@ "build_cmd": "./autogen.sh && ./configure --with-linux-source=/lib/modules/$(uname -r)/build EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-testcert --enable-all-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS='-Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1' --with-max-rsa-bits=16384 && make -j$(nproc) KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1", "elf": "linuxkm/libwolfssl.ko", "ld": "linuxkm/wolfcrypt.lds", - "linker_vars": "", - "apt_cache": "false" + "linker_vars": "" }, { "target_name": "linuxkm-pie", @@ -215,7 +214,6 @@ "build_cmd": "./autogen.sh && ./configure --with-linux-source=/lib/modules/$(uname -r)/build EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --disable-sp-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS='-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -DDEBUG_LINUXKM_PIE_SUPPORT -Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1' --with-max-rsa-bits=16384 && make -j$(nproc) KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1", "elf": "linuxkm/libwolfssl.ko", "ld": "linuxkm/wolfcrypt.lds", - "linker_vars": "", - "apt_cache": "false" + "linker_vars": "" } ] diff --git a/.github/workflows/membrowse-onboard.yml b/.github/workflows/membrowse-onboard.yml index 978a23c132f..6d8a3c1552d 100644 --- a/.github/workflows/membrowse-onboard.yml +++ b/.github/workflows/membrowse-onboard.yml @@ -47,7 +47,6 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: ${{ matrix.apt_packages }} - cache: ${{ matrix.apt_cache || 'true' }} - name: Run Membrowse Onboard Action uses: membrowse/membrowse-action/onboard-action@v1 diff --git a/.github/workflows/membrowse-report.yml b/.github/workflows/membrowse-report.yml index 805ae01eae8..191cd0c6e4a 100644 --- a/.github/workflows/membrowse-report.yml +++ b/.github/workflows/membrowse-report.yml @@ -86,7 +86,6 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: ${{ matrix.apt_packages }} - cache: ${{ matrix.apt_cache || 'true' }} - name: Build firmware if: needs.check-changes.outputs.needs_build == 'true' diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 8a6a68388d0..4c1f46cf8a8 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -67,7 +67,6 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: build-essential autoconf libldb-dev libldb2 python3-ldb bc libcap-dev - cache: 'false' - name: Setup env run: | From 06e4ec9fe32b3a0de910f53324b2c02b26b1bdc6 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 16 Jun 2026 15:22:36 +0000 Subject: [PATCH 2/5] CI: install all apt deps from ghcr bundles Extends the ghcr offline-install path to every install-apt-deps consumer that was still on plain apt, and publishes the bundles they need. New bundles built by ci-deps-image: - ubuntu-24.04-embedded: the membrowse ARM cross-toolchain (~0.5 GB), kept out of -full so it does not bloat the interop workflows' pull. - ubuntu-24.04-linuxkm: linux-headers-$(uname -r) + the kernel-module build toolchain. linux-headers tracks the runner's running kernel, so a daily job rebuilds it only when uname -r changed (recorded as an image label); a mismatch during a runner-image rollout just falls back to apt. Consumers now passing ghcr-debs-tag: - sssd -> ubuntu-24.04-full (its deps added to that list) - hostap-vm -> ubuntu-22.04-full (its deps added to that list) - membrowse targets -> ubuntu-24.04-embedded; the two linuxkm targets -> ubuntu-24.04-linuxkm (new per-target matrix.ghcr_tag) - linuxkm.yml -> ubuntu-24.04-linuxkm (pinned to ubuntu-24.04 so the bundle's headers match the runner kernel) Each consumer still falls back to apt when its bundle is unavailable, so nothing breaks until ci-deps-image first publishes the new tags. --- .../ci-deps/packages-ubuntu-22.04-full.txt | 11 ++ .../packages-ubuntu-24.04-embedded.txt | 15 +++ .../ci-deps/packages-ubuntu-24.04-full.txt | 4 + .github/membrowse-targets.json | 20 ++++ .github/workflows/ci-deps-image.yml | 107 ++++++++++++++++-- .github/workflows/hostap-vm.yml | 1 + .github/workflows/linuxkm.yml | 3 +- .github/workflows/membrowse-onboard.yml | 1 + .github/workflows/membrowse-report.yml | 1 + .github/workflows/sssd.yml | 1 + 10 files changed, 155 insertions(+), 9 deletions(-) create mode 100644 .github/ci-deps/packages-ubuntu-24.04-embedded.txt diff --git a/.github/ci-deps/packages-ubuntu-22.04-full.txt b/.github/ci-deps/packages-ubuntu-22.04-full.txt index f809efaeb4c..389fbbd8646 100644 --- a/.github/ci-deps/packages-ubuntu-22.04-full.txt +++ b/.github/ci-deps/packages-ubuntu-22.04-full.txt @@ -4,6 +4,7 @@ # Keep sorted; add a package when an interop workflow adds one. autoconf automake +binutils-dev bison bridge-utils build-essential @@ -17,6 +18,7 @@ crossbuild-essential-arm64 crossbuild-essential-armel crossbuild-essential-armhf crossbuild-essential-riscv64 +curl device-tree-compiler dfu-util diffstat @@ -39,12 +41,19 @@ help2man iproute2 lcov libcairo2-dev +libcurl4-openssl-dev +libdbus-1-dev libglib2.0-dev libgtk2.0-0 +libiberty-dev liblocale-gettext-perl libmagic1 libncurses5-dev +libnl-3-dev +libnl-genl-3-dev +libnl-route-3-dev libpcap-dev +libpcap0.8 libpopt0 libsdl1.2-dev libsdl2-dev @@ -63,6 +72,7 @@ python-is-python3 python3-dev python3-pip python3-ply +python3-pycryptodome python3-setuptools python3-tk python3-wheel @@ -73,6 +83,7 @@ socat srecord sudo texinfo +tshark uml-utilities unzip wget diff --git a/.github/ci-deps/packages-ubuntu-24.04-embedded.txt b/.github/ci-deps/packages-ubuntu-24.04-embedded.txt new file mode 100644 index 00000000000..0584e4dad33 --- /dev/null +++ b/.github/ci-deps/packages-ubuntu-24.04-embedded.txt @@ -0,0 +1,15 @@ +# membrowse embedded-target apt packages for ubuntu-24.04 (the +# '-embedded' bundle: ghcr.io//wolfssl-ci-debs:ubuntu-24.04-embedded). +# Kept separate from -full because the ARM cross-toolchain is large (~0.5 GB) +# and unrelated to the interop workflows that pull -full. Keep sorted. +build-essential +ca-certificates +cmake +gcc-arm-none-eabi +git +libnewlib-arm-none-eabi +libstdc++-arm-none-eabi-newlib +ninja-build +python3 +unzip +wget diff --git a/.github/ci-deps/packages-ubuntu-24.04-full.txt b/.github/ci-deps/packages-ubuntu-24.04-full.txt index 9872201d641..29344bd4e50 100644 --- a/.github/ci-deps/packages-ubuntu-24.04-full.txt +++ b/.github/ci-deps/packages-ubuntu-24.04-full.txt @@ -8,6 +8,7 @@ autoconf autoconf-archive automake autopoint +bc bubblewrap build-essential ccache @@ -51,6 +52,8 @@ libidn2-dev libio-socket-ssl-perl libjansson-dev libkrb5-dev +libldb-dev +libldb2 liblz4-dev liblzma-dev liblzo2-dev @@ -87,6 +90,7 @@ pkgconf psmisc python3-docutils python3-impacket +python3-ldb python3-psutil shellcheck uuid-dev diff --git a/.github/membrowse-targets.json b/.github/membrowse-targets.json index 5c737e83491..3acf427ccae 100644 --- a/.github/membrowse-targets.json +++ b/.github/membrowse-targets.json @@ -4,6 +4,7 @@ "port": "gcc-arm", "board": "cortex-m4", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f IDE/GCC-ARM/Header/user_settings.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat IDE/GCC-ARM/Header/user_settings.h; printf '#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFCRYPT_ONLY -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -15,6 +16,7 @@ "port": "gcc-arm", "board": "cortex-m4-min-ecc", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_min_ecc.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_min_ecc.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -26,6 +28,7 @@ "port": "gcc-arm", "board": "cortex-m4-tls12", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_tls12.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_tls12.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -37,6 +40,7 @@ "port": "gcc-arm", "board": "cortex-m4-baremetal", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_baremetal.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_baremetal.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -48,6 +52,7 @@ "port": "gcc-arm", "board": "cortex-m0plus", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_min_ecc.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_min_ecc.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen ARCHFLAGS='-mcpu=cortex-m0plus -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP' CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m0plus -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -59,6 +64,7 @@ "port": "gcc-arm", "board": "cortex-m3", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_tls12.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_tls12.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen ARCHFLAGS='-mcpu=cortex-m3 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP' CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m3 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -70,6 +76,7 @@ "port": "gcc-arm", "board": "cortex-m7", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f IDE/GCC-ARM/Header/user_settings.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat IDE/GCC-ARM/Header/user_settings.h; printf '#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen ARCHFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP' CFLAGS_EXTRA='-Wno-cpp -DWOLFCRYPT_ONLY -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -81,6 +88,7 @@ "port": "gcc-arm", "board": "cortex-m4-tls13", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_tls13.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_tls13.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -92,6 +100,7 @@ "port": "gcc-arm", "board": "cortex-m4-dtls13", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_dtls13.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_dtls13.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen SRC_LD=-T./linker_large.ld CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20040000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker_large.ld", @@ -103,6 +112,7 @@ "port": "gcc-arm", "board": "cortex-m4-pq", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_pq.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_pq.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen SRC_LD=-T./linker_large.ld CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20040000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker_large.ld", @@ -114,6 +124,7 @@ "port": "gcc-arm", "board": "cortex-m4-rsa-only", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_rsa_only.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_rsa_only.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen SRC_LD=-T./linker_large.ld CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20040000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker_large.ld", @@ -125,6 +136,7 @@ "port": "gcc-arm", "board": "cortex-m4-pkcs7", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_pkcs7.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_pkcs7.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -136,6 +148,7 @@ "port": "gcc-arm", "board": "cortex-m4-openssl-compat", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_openssl_compat.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_openssl_compat.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define SMALL_SESSION_CACHE\\n#undef HAVE_OCSP\\n#undef HAVE_CERTIFICATE_STATUS_REQUEST\\n#undef HAVE_CERTIFICATE_STATUS_REQUEST_V2\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define USER_TICKS\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen SRC_LD=-T./linker_large.ld CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20040000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker_large.ld", @@ -147,6 +160,7 @@ "port": "gcc-arm", "board": "cortex-m4-sp-math", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_min_ecc.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_min_ecc.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n#define WOLFSSL_SP_MATH\\n#define WOLFSSL_SP_NO_ASM\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -158,6 +172,7 @@ "port": "gcc-arm", "board": "cortex-m4-crypto-only", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "mkdir -p IDE/GCC-ARM/Header-gen && printf '#ifndef WOLFSSL_USER_SETTINGS_H\\n#define WOLFSSL_USER_SETTINGS_H\\n#define WOLFCRYPT_ONLY\\n#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define HAVE_AESGCM\\n#define HAVE_AES_DECRYPT\\n#define HAVE_ECC\\n#define HAVE_CHACHA\\n#define HAVE_POLY1305\\n#define WOLFSSL_SHA512\\n#define WOLFSSL_SHA384\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n#endif\\n' > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK -DWOLFCRYPT_ONLY' LDFLAGS='-mcpu=cortex-m4 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -169,6 +184,7 @@ "port": "gcc-arm", "board": "cortex-m7-tls13", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_tls13.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_tls13.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen ARCHFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP' CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20010000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker.ld", @@ -180,6 +196,7 @@ "port": "gcc-arm", "board": "cortex-m7-pq", "apt_packages": "gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "test -f examples/configs/user_settings_pq.h && mkdir -p IDE/GCC-ARM/Header-gen && { cat examples/configs/user_settings_pq.h; printf '#define WOLFSSL_GENERAL_ALIGNMENT 4\\n#define SINGLE_THREADED\\n#define WOLFSSL_SMALL_STACK\\n#define NO_FILESYSTEM\\n#define NO_WRITEV\\n#define NO_MAIN_DRIVER\\n#define NO_DEV_RANDOM\\n#define BENCH_EMBEDDED\\n#define USE_CERT_BUFFERS_256\\n#define USE_CERT_BUFFERS_2048\\n#define WOLFSSL_IGNORE_FILE_WARN\\n#define WOLFSSL_USER_IO\\n#define WOLFSSL_USER_CURRTIME\\n#define TIME_OVERRIDES\\n#define USER_TICKS\\n#define XTIME my_time\\n#define XGMTIME my_gmtime\\n#define CUSTOM_RAND_TYPE unsigned int\\nextern unsigned int my_rng_seed_gen(void);\\n#undef CUSTOM_RAND_GENERATE\\n#define CUSTOM_RAND_GENERATE my_rng_seed_gen\\n#define HAVE_HASHDRBG\\n#define NO_CRYPT_TEST\\n#define NO_CRYPT_BENCHMARK\\n'; } > IDE/GCC-ARM/Header-gen/user_settings.h && cd IDE/GCC-ARM && make -f Makefile.test TOOLCHAIN=arm-none-eabi- FIPS=0 USER_SETTINGS_DIR=./Header-gen ARCHFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP' SRC_LD=-T./linker_large.ld CFLAGS_EXTRA='-Wno-cpp -DWOLFSSL_NO_SOCK' LDFLAGS='-mcpu=cortex-m7 -mthumb -mabi=aapcs --specs=nosys.specs --specs=nano.specs -Wl,-Map=./Build/WolfCryptTest.map -Wl,-ereset_handler -flto -Wl,--defsym=__stack_process_end__=0x20040000'", "elf": "IDE/GCC-ARM/Build/WolfCryptTest.elf", "ld": "IDE/GCC-ARM/linker_large.ld", @@ -191,6 +208,7 @@ "port": "stm32-sim", "board": "stm32h753", "apt_packages": "build-essential ca-certificates cmake ninja-build python3 git gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib wget unzip", + "ghcr_tag": "ubuntu-24.04-embedded", "build_cmd": "if [ ! -d simulators ]; then git clone --depth 1 https://github.com/wolfSSL/simulators simulators; fi && sudo mkdir -p /opt && if [ ! -d /opt/cmsis-device-h7 ]; then sudo git clone --depth 1 https://github.com/STMicroelectronics/cmsis-device-h7.git /opt/cmsis-device-h7; fi && if [ ! -d /opt/CMSIS_5 ]; then sudo git clone --depth 1 https://github.com/ARM-software/CMSIS_5.git /opt/CMSIS_5; fi && if [ ! -d /opt/STM32CubeH7 ]; then (sudo git clone --depth 1 --branch v1.11.2 --recurse-submodules https://github.com/STMicroelectronics/STM32CubeH7.git /opt/STM32CubeH7 || (sudo git clone --depth 1 --branch v1.11.2 https://github.com/STMicroelectronics/STM32CubeH7.git /opt/STM32CubeH7 && cd /opt/STM32CubeH7 && sudo git submodule update --init --recursive --depth 1)); fi && sudo rm -rf /opt/firmware-stm32sim-h7 /opt/wolfssl-stm32sim && sudo mkdir -p /opt/firmware-stm32sim-h7 && sudo cp -r simulators/STM32Sim/firmware/wolfcrypt-test-h7/. /opt/firmware-stm32sim-h7/ && sudo cp /opt/firmware-stm32sim-h7/stm32h7xx_hal_conf.h /opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc/ && sudo cp -r . /opt/wolfssl-stm32sim && sudo rm -f /opt/wolfssl-stm32sim/config.h && cd /opt/firmware-stm32sim-h7 && sudo cmake -G Ninja -DWOLFSSL_USER_SETTINGS=ON -DUSER_SETTINGS_FILE=/opt/firmware-stm32sim-h7/user_settings.h -DCMAKE_TOOLCHAIN_FILE=/opt/firmware-stm32sim-h7/toolchain-arm-none-eabi.cmake -DCMAKE_BUILD_TYPE=Release -DWOLFSSL_CRYPT_TESTS=OFF -DWOLFSSL_EXAMPLES=OFF -DWOLFSSL_ROOT=/opt/wolfssl-stm32sim -B /opt/firmware-stm32sim-h7/build -S /opt/firmware-stm32sim-h7 && sudo cmake --build /opt/firmware-stm32sim-h7/build && sudo cp /opt/firmware-stm32sim-h7/build/wolfcrypt_test.elf $GITHUB_WORKSPACE/wolfcrypt_test.elf", "elf": "wolfcrypt_test.elf", "ld": "simulators/STM32Sim/firmware/wolfcrypt-test-h7/stm32h753.ld", @@ -201,6 +219,7 @@ "port": "linuxkm", "board": "linux-kernel-module-standard", "apt_packages": "build-essential autoconf automake libtool linux-headers-$(uname -r)", + "ghcr_tag": "ubuntu-24.04-linuxkm", "build_cmd": "./autogen.sh && ./configure --with-linux-source=/lib/modules/$(uname -r)/build EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-testcert --enable-all-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS='-Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1' --with-max-rsa-bits=16384 && make -j$(nproc) KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1", "elf": "linuxkm/libwolfssl.ko", "ld": "linuxkm/wolfcrypt.lds", @@ -211,6 +230,7 @@ "port": "linuxkm", "board": "linux-kernel-module-pie", "apt_packages": "build-essential autoconf automake libtool linux-headers-$(uname -r)", + "ghcr_tag": "ubuntu-24.04-linuxkm", "build_cmd": "./autogen.sh && ./configure --with-linux-source=/lib/modules/$(uname -r)/build EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --disable-sp-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS='-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -DDEBUG_LINUXKM_PIE_SUPPORT -Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1' --with-max-rsa-bits=16384 && make -j$(nproc) KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1", "elf": "linuxkm/libwolfssl.ko", "ld": "linuxkm/wolfcrypt.lds", diff --git a/.github/workflows/ci-deps-image.yml b/.github/workflows/ci-deps-image.yml index 4bffc66f683..60a7a7842a2 100644 --- a/.github/workflows/ci-deps-image.yml +++ b/.github/workflows/ci-deps-image.yml @@ -1,7 +1,9 @@ name: CI deps image # Builds the prebuilt apt .deb bundles that the make-check family (the -# -minimal tags) and the interop workflows (the -full tags, a superset) +# -minimal tags), the interop workflows (the -full tags, a superset), the +# membrowse embedded targets (the -embedded tag - the big ARM cross-toolchain) +# and the linux kernel-module builds (the -linuxkm tag - kernel headers) # install offline (see .github/actions/install-apt-deps, input # ghcr-debs-tag). Each bundle holds the .debs for a package list in # .github/ci-deps/ - every package plus the dependencies not already on the @@ -22,13 +24,18 @@ name: CI deps image on: schedule: - # Weekend only - refresh the bundles weekly so they track base-image - # security updates. A mid-week package-list change waits for Saturday - # (or run this manually via workflow_dispatch); until then the offline - # install (a single --no-download install of the whole set) fails if any - # requested package is missing from the bundle, and install-apt-deps - # falls back to the full apt path. + # Weekly (Saturday) - the static bundles (-minimal/-full/-embedded). + # Refreshes them so they track base-image security updates. A mid-week + # package-list change waits for Saturday (or run this manually via + # workflow_dispatch); until then the offline install (a single + # --no-download install of the whole set) fails if any requested package + # is missing from the bundle, and install-apt-deps falls back to apt. - cron: '0 2 * * 6' + # Daily - the kernel-tracking -linuxkm bundle only. linux-headers-$(uname + # -r) pins to the runner's running kernel (changes ~monthly); the linuxkm + # job rebuilds solely when uname -r differs from the published bundle, a + # cheap no-op otherwise. A mismatch mid-rollout just falls back to apt. + - cron: '0 3 * * *' workflow_dispatch: concurrency: @@ -42,7 +49,11 @@ permissions: jobs: build: name: build ${{ matrix.tag }} - if: github.repository_owner == 'wolfssl' + # Static bundles: weekly cron or manual dispatch. Skip the daily cron, + # which exists only to refresh the kernel-tracking -linuxkm bundle below. + if: >- + github.repository_owner == 'wolfssl' && + (github.event_name != 'schedule' || github.event.schedule == '0 2 * * 6') strategy: fail-fast: false matrix: @@ -55,6 +66,10 @@ jobs: tag: ubuntu-24.04-minimal - runner: ubuntu-24.04 tag: ubuntu-24.04-full + # membrowse embedded targets' ARM cross-toolchain (~0.5 GB). Its own + # tag so it does not bloat the -full pull for the interop workflows. + - runner: ubuntu-24.04 + tag: ubuntu-24.04-embedded - runner: ubuntu-22.04 tag: ubuntu-22.04-minimal - runner: ubuntu-22.04 @@ -114,3 +129,79 @@ jobs: docker tag bundle "$IMG:${{ matrix.tag }}" docker push "$IMG:${{ matrix.tag }}" echo "Pushed $IMG:${{ matrix.tag }}" + + # Kernel-tracking bundle for the linux kernel-module builds (linuxkm.yml and + # the membrowse linuxkm targets). linux-headers-$(uname -r) pins to the + # runner's running kernel, so this runs daily but rebuilds only when the + # kernel changed since the published bundle (the image carries the kernel as + # a label). A mismatch - e.g. during a gradual runner-image rollout - just + # makes install-apt-deps fall back to apt. + linuxkm: + name: build ubuntu-24.04-linuxkm + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 20 + steps: + - name: Log in to ghcr + shell: bash + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Decide whether the published bundle already matches this kernel + id: check + shell: bash + run: | + set -uo pipefail + OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') + IMG="ghcr.io/$OWNER/wolfssl-ci-debs:ubuntu-24.04-linuxkm" + K=$(uname -r) + echo "kernel=$K" >> "$GITHUB_OUTPUT" + echo "runner kernel: $K" + have="" + if docker pull -q "$IMG" >/dev/null 2>&1; then + have=$(docker inspect --format '{{ index .Config.Labels "kernel" }}' "$IMG" 2>/dev/null || true) + fi + echo "published bundle kernel: ${have:-}" + if [ "$have" = "$K" ]; then + echo "rebuild=false" >> "$GITHUB_OUTPUT" + echo "Bundle already current for $K; nothing to do." + else + echo "rebuild=true" >> "$GITHUB_OUTPUT" + fi + + - name: Resolve and download the .deb closure + if: steps.check.outputs.rebuild == 'true' + shell: bash + run: | + set -euo pipefail + K="${{ steps.check.outputs.kernel }}" + # linuxkm.yml installs only the headers; the membrowse linuxkm targets + # also need the build toolchain. Bundle the union - each consumer + # installs its own subset offline. + PKGS=(build-essential autoconf automake libtool "linux-headers-$K") + echo "Packages: ${PKGS[*]}" + export DEBIAN_FRONTEND=noninteractive + rm -rf debs && mkdir -p debs + sudo apt-get clean + retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; } + retry sudo apt-get update -q + skipped=0 + for pkg in "${PKGS[@]}"; do + retry sudo apt-get install -y --download-only "$pkg" \ + || { echo "::warning::could not download $pkg"; skipped=$((skipped+1)); } + done + sudo cp /var/cache/apt/archives/*.deb debs/ 2>/dev/null || true + echo "Bundled $(ls debs/*.deb 2>/dev/null | wc -l) .deb files; ${skipped} skipped" + test -n "$(ls debs/*.deb 2>/dev/null)" + + - name: Build and push bundle (labelled with the kernel) + if: steps.check.outputs.rebuild == 'true' + shell: bash + run: | + set -euo pipefail + K="${{ steps.check.outputs.kernel }}" + OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') + IMG="ghcr.io/$OWNER/wolfssl-ci-debs:ubuntu-24.04-linuxkm" + printf 'FROM busybox\nCOPY debs /debs\nLABEL kernel=%s\n' "$K" > Dockerfile.debs + docker build -f Dockerfile.debs -t "$IMG" . + docker push "$IMG" + echo "Pushed $IMG (kernel $K)" diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index 8a40451e662..a860006cb07 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -230,6 +230,7 @@ jobs: uses: ./wolfssl/.github/actions/install-apt-deps with: packages: libpcap0.8 libpcap-dev curl libcurl4-openssl-dev libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome + ghcr-debs-tag: ubuntu-22.04-full - name: Install pip dependencies run: sudo pip install pycryptodome diff --git a/.github/workflows/linuxkm.yml b/.github/workflows/linuxkm.yml index ebc05231494..8922f71bdf0 100644 --- a/.github/workflows/linuxkm.yml +++ b/.github/workflows/linuxkm.yml @@ -24,7 +24,7 @@ jobs: ] name: build module if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 5 steps: - uses: actions/checkout@v5 @@ -34,6 +34,7 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: linux-headers-$(uname -r) + ghcr-debs-tag: ubuntu-24.04-linuxkm - name: Prepare target kernel for module builds run: | diff --git a/.github/workflows/membrowse-onboard.yml b/.github/workflows/membrowse-onboard.yml index 6d8a3c1552d..4cba2fa7d01 100644 --- a/.github/workflows/membrowse-onboard.yml +++ b/.github/workflows/membrowse-onboard.yml @@ -47,6 +47,7 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: ${{ matrix.apt_packages }} + ghcr-debs-tag: ${{ matrix.ghcr_tag }} - name: Run Membrowse Onboard Action uses: membrowse/membrowse-action/onboard-action@v1 diff --git a/.github/workflows/membrowse-report.yml b/.github/workflows/membrowse-report.yml index 191cd0c6e4a..e4dabc58a7e 100644 --- a/.github/workflows/membrowse-report.yml +++ b/.github/workflows/membrowse-report.yml @@ -86,6 +86,7 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: ${{ matrix.apt_packages }} + ghcr-debs-tag: ${{ matrix.ghcr_tag }} - name: Build firmware if: needs.check-changes.outputs.needs_build == 'true' diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 4c1f46cf8a8..d3ba3667c6b 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -67,6 +67,7 @@ jobs: uses: ./.github/actions/install-apt-deps with: packages: build-essential autoconf libldb-dev libldb2 python3-ldb bc libcap-dev + ghcr-debs-tag: ubuntu-24.04-full - name: Setup env run: | From cfbfecb1bcc9780ba012cbf01e9e33f690a46e7d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 16 Jun 2026 16:33:12 +0000 Subject: [PATCH 3/5] CI: fail the linuxkm bundle build on any download error Addresses PR review feedback. The kernel-tracking linuxkm bundle treated a failed --download-only as a warning and still published, so a transient mirror error could ship a partial bundle. Because the daily job skips rebuilds while the kernel label matches, such a partial bundle would persist until the kernel next changes (~monthly), forcing consumers to fall back to apt the whole time. The linuxkm set is small and entirely required, so resolve it as one closure and let a failure fail the job; we push only on success, so the last good bundle stays in place. The static -full/-minimal bundles keep their per-package skip-and-warn - they serve many independent consumer subsets and rebuild weekly, so maximizing coverage is the right trade-off there. --- .github/workflows/ci-deps-image.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci-deps-image.yml b/.github/workflows/ci-deps-image.yml index 60a7a7842a2..8908d9b36c5 100644 --- a/.github/workflows/ci-deps-image.yml +++ b/.github/workflows/ci-deps-image.yml @@ -184,14 +184,15 @@ jobs: sudo apt-get clean retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; } retry sudo apt-get update -q - skipped=0 - for pkg in "${PKGS[@]}"; do - retry sudo apt-get install -y --download-only "$pkg" \ - || { echo "::warning::could not download $pkg"; skipped=$((skipped+1)); } - done + # The whole set is required and this bundle is small, so resolve it as + # one closure and let any download failure fail the job. We push only + # on success, so a transient mirror error keeps the last good bundle + # rather than publishing a partial one - which the kernel-label skip + # would then pin in place until the kernel next changes (~monthly). + retry sudo apt-get install -y --download-only "${PKGS[@]}" sudo cp /var/cache/apt/archives/*.deb debs/ 2>/dev/null || true - echo "Bundled $(ls debs/*.deb 2>/dev/null | wc -l) .deb files; ${skipped} skipped" - test -n "$(ls debs/*.deb 2>/dev/null)" + echo "Bundled $(ls debs/*.deb 2>/dev/null | wc -l) .deb files" + test -n "$(ls debs/*.deb 2>/dev/null)" # headers are never preinstalled - name: Build and push bundle (labelled with the kernel) if: steps.check.outputs.rebuild == 'true' From 94a671bed8bcc22d54d836179ff871d86ddae470 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 17 Jun 2026 08:50:51 +0000 Subject: [PATCH 4/5] CI: disable setup-alire's cache in the Ada workflow setup-alire@v5 caches the gnat_native+gprbuild toolchain via actions/cache (key alr[1][2.1.0][...]), holding ~1.26 GiB - 3x the 428 MiB toolchain, one copy per ref - against the repo's 10 GiB cache cap. On a miss the toolchain is only a ~17s pull from github.com (alire-project releases), so the cache saved ~20-30s on a ~6.5min Ada job (dominated by gnatprove). Not worth the space; install it fresh each run. --- .github/workflows/ada.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ada.yml b/.github/workflows/ada.yml index ae6fc8d09c1..158b3e93976 100644 --- a/.github/workflows/ada.yml +++ b/.github/workflows/ada.yml @@ -18,6 +18,10 @@ jobs: - name: Install alire uses: alire-project/setup-alire@v5 + with: + # The toolchain is downloaded from GitHub releases, so caching is not + # beneficial relative to the cache space it uses. + cache: false - name: Install wolfssl Ada working-directory: ./wrapper/Ada From d3659c74fdd5be16bdb0bd020f49ad435b6e001e Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 17 Jun 2026 09:29:48 +0000 Subject: [PATCH 5/5] CI: move Arduino cores from actions/cache to ghcr bundles arduino.yml's per-core actions/cache layer stored the installed cores and toolchains (~/.arduino15) - several GB, dominated by the esp32 and mbed cores - in the 10 GB Actions cache. For esp32 it was also ineffective: the disk-cleanup step deletes the esp32 toolchain before actions/cache saves it, so esp32 re-downloaded every run anyway. - New arduino-cores-image workflow resolves each of the 9 distinct cores and publishes a tar of ~/.arduino15 + ~/Arduino/libraries to ghcr.io//wolfssl-ci-arduino:. It runs monthly: esp32, the fastest-moving core, releases ~monthly and the rest far less often. - New install-arduino-core composite action restores that bundle offline and verifies the core is present, falling back to `arduino-cli core install` when the bundle is unavailable - so nothing breaks until the image is first published and made public. - arduino.yml calls the action in place of the inline core install and the actions/cache step. This takes the flaky espressif / esp8266.com / pjrc.com downloads off the PR critical path and frees the Actions cache of the largest binaries it held. --- .../actions/install-arduino-core/action.yml | 81 +++++++++++ .github/workflows/arduino-cores-image.yml | 135 ++++++++++++++++++ .github/workflows/arduino.yml | 87 +++-------- 3 files changed, 235 insertions(+), 68 deletions(-) create mode 100644 .github/actions/install-arduino-core/action.yml create mode 100644 .github/workflows/arduino-cores-image.yml diff --git a/.github/actions/install-arduino-core/action.yml b/.github/actions/install-arduino-core/action.yml new file mode 100644 index 00000000000..d6f768d4e70 --- /dev/null +++ b/.github/actions/install-arduino-core/action.yml @@ -0,0 +1,81 @@ +name: 'Install Arduino core' +description: > + Make an Arduino core (and the shared CI libraries) available, preferring a + prebuilt bundle pulled from ghcr (published by the arduino-cores-image + workflow) and falling back to `arduino-cli core install` when the bundle is + unavailable or stale. Assumes arduino-cli is already on PATH. +inputs: + core-id: + description: 'vendor:arch core to make available, e.g. esp32:esp32' + required: true + board-manager-url: + description: > + Optional third-party board_manager index URL, used only on the + online-install fallback (the ghcr bundle already carries its own). + required: false + default: '' + libs: + description: 'Space-separated Arduino libraries to ensure are present' + required: false + default: 'ArduinoJson WiFiNINA Ethernet Bridge' +runs: + using: 'composite' + steps: + # Preferred path: restore ~/.arduino15 (the core + toolchain) and the + # shared libraries from a prebuilt tarball pulled from ghcr, so the flaky + # board_manager / toolchain downloads are off the PR critical path. The + # bundle is published only under the wolfssl org (gated below), so fork PRs + # read the public upstream image too. Best-effort: any failure leaves + # "satisfied" unset and the online install below runs unchanged. + - name: Restore Arduino core from ghcr bundle + id: ghcr + shell: bash + run: | + set -u + command -v docker >/dev/null 2>&1 || { echo "::notice::docker unavailable; installing core online"; exit 0; } + command -v arduino-cli >/dev/null 2>&1 || { echo "::notice::arduino-cli not on PATH; installing core online"; exit 0; } + CORE_ID='${{ inputs.core-id }}' + TAG=$(echo "$CORE_ID" | tr ':' '-') + IMG="ghcr.io/wolfssl/wolfssl-ci-arduino:$TAG" + if ! docker pull -q "$IMG" >/dev/null 2>&1; then + echo "::notice::ghcr bundle $IMG unavailable; installing core online" + exit 0 + fi + cid=$(docker create "$IMG" 2>/dev/null) || { echo "::notice::cannot open bundle; installing core online"; exit 0; } + rm -f "$RUNNER_TEMP/arduino-core.tar" + docker cp "$cid:/arduino-core.tar" "$RUNNER_TEMP/arduino-core.tar" >/dev/null 2>&1 || true + docker rm "$cid" >/dev/null 2>&1 || true + test -f "$RUNNER_TEMP/arduino-core.tar" || { echo "::notice::bundle had no tarball; installing core online"; exit 0; } + # Entries are stored relative to $HOME (.arduino15/..., Arduino/libraries/...). + tar -C "$HOME" -xf "$RUNNER_TEMP/arduino-core.tar" || { echo "::notice::could not unpack bundle; installing core online"; exit 0; } + rm -f "$RUNNER_TEMP/arduino-core.tar" + if arduino-cli core list 2>/dev/null | awk 'NR>1 {print $1}' | grep -Fxq "$CORE_ID"; then + echo "satisfied=true" >> "$GITHUB_OUTPUT" + echo "Restored $CORE_ID from $IMG" + else + echo "::notice::bundle did not yield $CORE_ID; installing core online" + fi + + - name: Install Arduino core online + if: steps.ghcr.outputs.satisfied != 'true' + shell: bash + run: | + set -euo pipefail + CORE_ID='${{ inputs.core-id }}' + BM_URL='${{ inputs.board-manager-url }}' + retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; } + + arduino-cli config init --overwrite + # Wait up to 10 minutes for the big toolchain downloads. + arduino-cli config set network.connection_timeout 600s + # Scope third-party indexes to the one core that needs them: arduino-cli + # re-reads every configured index on each call and fails if any is + # unreachable, so an unconditional URL makes all jobs depend on it. + if [ -n "$BM_URL" ]; then + arduino-cli config add board_manager.additional_urls "$BM_URL" + fi + retry arduino-cli core update-index + retry arduino-cli core install "$CORE_ID" + for lib in ${{ inputs.libs }}; do + retry arduino-cli lib install "$lib" + done diff --git a/.github/workflows/arduino-cores-image.yml b/.github/workflows/arduino-cores-image.yml new file mode 100644 index 00000000000..998fd04145e --- /dev/null +++ b/.github/workflows/arduino-cores-image.yml @@ -0,0 +1,135 @@ +name: Arduino cores image + +# Builds the prebuilt Arduino core bundles that arduino.yml restores offline +# (see .github/actions/install-arduino-core). Each bundle is a tar of +# ~/.arduino15 (the installed core + toolchain) and ~/Arduino/libraries (the +# shared CI libraries) for one vendor:arch core, published to +# ghcr.io//wolfssl-ci-arduino: (':' in the core id becomes '-'). +# +# Why: the core/toolchain downloads (espressif, esp8266.com, pjrc.com) are +# large and chronically flaky from runner egress, and the old actions/cache +# layer both pressed on the 10 GB cache cap and - for esp32 - was deleted by +# arduino.yml's disk cleanup before it was ever saved. Resolving each core ONCE +# here and pulling it from ghcr on every PR keeps those downloads off the PR +# critical path. ghcr storage/bandwidth is free for public images. +# +# ONE-TIME SETUP: after the first successful run, make the package +# `wolfssl-ci-arduino` PUBLIC (repo/org > Packages > Package settings > +# Change visibility). Anonymous `docker pull` then works from fork PRs too; +# until then install-arduino-core simply installs the core online (no breakage). + +on: + schedule: + # Monthly (1st). esp32 - the fastest-moving core - releases roughly monthly + # and the rest far less often, so a monthly unconditional rebuild tracks + # them closely enough; between rebuilds install-arduino-core installs any + # newer core online. Each run republishes every bundle. + - cron: '0 4 1 * *' + workflow_dispatch: + +concurrency: + group: arduino-cores-image-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + packages: write + +jobs: + build: + name: build ${{ matrix.core_id }} + if: github.repository_owner == 'wolfssl' + # teensy:avr's index lives at pjrc.com, chronically unreachable from runner + # egress; let it fail without blocking the other eight bundles. + continue-on-error: ${{ matrix.core_id == 'teensy:avr' }} + runs-on: ubuntu-24.04 + timeout-minutes: 30 + strategy: + fail-fast: false + matrix: + include: + # Distinct vendor:arch cores behind arduino.yml's board matrix. The + # esp32 and mbed_* cores are the GB-scale toolchains; the AVR/SAM/SAMD + # cores are small. board_url is set only for cores whose index is not + # in the default board manager. + - core_id: arduino:avr + - core_id: arduino:samd + - core_id: arduino:sam + - core_id: arduino:mbed_edge + - core_id: arduino:mbed_portenta + - core_id: arduino:renesas_uno + - core_id: esp32:esp32 + - core_id: esp8266:esp8266 + board_url: https://arduino.esp8266.com/stable/package_esp8266com_index.json + - core_id: teensy:avr + board_url: https://www.pjrc.com/teensy/package_teensy_index.json + steps: + - name: Free disk space + shell: bash + run: | + sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL + sudo apt-get clean + df -h + + - name: Install Arduino CLI + shell: bash + run: | + set -euo pipefail + mkdir -p "$HOME/bin" + echo "$HOME/bin" >> "$GITHUB_PATH" + curl -fsSL --retry 5 --retry-delay 10 \ + https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh \ + | BINDIR="$HOME/bin" sh + "$HOME/bin/arduino-cli" version + + - name: Install the core and shared libraries + shell: bash + run: | + set -euo pipefail + CORE_ID='${{ matrix.core_id }}' + BM_URL='${{ matrix.board_url }}' + retry() { local i; for i in 1 2 3 4 5; do "$@" && return 0; sleep $((2**i)); done; "$@"; } + + arduino-cli config init --overwrite + arduino-cli config set network.connection_timeout 600s + if [ -n "$BM_URL" ]; then + arduino-cli config add board_manager.additional_urls "$BM_URL" + fi + retry arduino-cli core update-index + retry arduino-cli core install "$CORE_ID" + # Mirror arduino.yml's always-installed libraries so consumers get a + # complete bundle. + for lib in ArduinoJson WiFiNINA Ethernet Bridge; do + retry arduino-cli lib install "$lib" + done + mkdir -p "$HOME/Arduino/libraries" + + - name: Pack the bundle tarball + shell: bash + run: | + set -euo pipefail + mkdir -p "$RUNNER_TEMP/ctx" + # Paths relative to $HOME so install-arduino-core can `tar -C $HOME -x` + # straight back. Drop the staging area and any wolfssl lib (arduino.yml + # always installs the latest wolfssl itself). + tar --exclude='.arduino15/staging' --exclude='Arduino/libraries/wolfssl' \ + -C "$HOME" -cf "$RUNNER_TEMP/ctx/arduino-core.tar" .arduino15 Arduino/libraries + echo "Tarball size: $(du -h "$RUNNER_TEMP/ctx/arduino-core.tar" | cut -f1)" + + - name: Log in to ghcr + shell: bash + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Build and push bundle + shell: bash + run: | + set -euo pipefail + OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') + TAG=$(echo "${{ matrix.core_id }}" | tr ':' '-') + IMG="ghcr.io/$OWNER/wolfssl-ci-arduino:$TAG" + # Tiny busybox base so the consumer can `docker cp` the tarball out; + # the base size is negligible next to the toolchain. + printf 'FROM busybox\nCOPY arduino-core.tar /arduino-core.tar\n' > "$RUNNER_TEMP/ctx/Dockerfile" + docker build -t "$IMG" "$RUNNER_TEMP/ctx" + docker push "$IMG" + echo "Pushed $IMG" diff --git a/.github/workflows/arduino.yml b/.github/workflows/arduino.yml index 08dd2d733b5..2df14a8edf4 100644 --- a/.github/workflows/arduino.yml +++ b/.github/workflows/arduino.yml @@ -197,53 +197,25 @@ jobs: run: | CORE_ID="$(echo '${{ matrix.fqbn }}' | cut -d: -f1-2)" echo "CORE_ID=$CORE_ID" >> "$GITHUB_ENV" - - - name: Setup Arduino CLI - run: | - arduino-cli config init - - # wait 10 minutes for big downloads (or use 0 for no limit) - arduino-cli config set network.connection_timeout 600s - - # Only add third-party board_manager URLs for matrix entries that actually need them. - # arduino-cli re-reads every configured index on each invocation and fails the whole - # step if any one is unreachable, so adding these unconditionally makes all jobs - # depend on pjrc.com and esp8266.com -- a single outage there cascades into total - # CI failure. Scope each URL to the one CORE_ID that uses it. - if [ "$CORE_ID" = "teensy:avr" ]; then - arduino-cli config add board_manager.additional_urls https://www.pjrc.com/teensy/package_teensy_index.json - fi - if [ "$CORE_ID" = "esp8266:esp8266" ]; then - arduino-cli config add board_manager.additional_urls https://arduino.esp8266.com/stable/package_esp8266com_index.json - fi - arduino-cli core update-index - - echo "CORE_ID: $CORE_ID" - arduino-cli core install "$CORE_ID" - - # The above is instead of: - # arduino-cli core install esp32:esp32 # ESP32 - # arduino-cli core install arduino:avr # Arduino Uno, Mega, Nano - # arduino-cli core install arduino:sam # Arduino Due - # arduino-cli core install arduino:samd # Arduino Zero - # arduino-cli core install teensy:avr # PJRC Teensy - # arduino-cli core install esp8266:esp8266 # ESP8266 - # arduino-cli core install arduino:mbed_nano # nanorp2040connect - # arduino-cli core install arduino:mbed_portenta # portenta_h7_m7 - # arduino-cli core install arduino:mbed_edge - # arduino-cli core install arduino:renesas_uno - - # For reference: - - # mbed nano not yet tested - # sudo "/home/$USER/.arduino15/packages/arduino/hardware/mbed_nano/4.2.4/post_install.sh" - - # Always install networking (not part of FQBN matrix) - # The first one also creates directory: /home/runner/Arduino/libraries - arduino-cli lib install "ArduinoJson" # Example dependency - arduino-cli lib install "WiFiNINA" # ARDUINO_SAMD_NANO_33_IOT - arduino-cli lib install "Ethernet" # Install Ethernet library - arduino-cli lib install "Bridge" # Pseudo-network for things like arduino:samd:tian + # Third-party board_manager index for the cores that need one. Scoped + # to the one CORE_ID that uses it: arduino-cli re-reads every index on + # each call and fails if any is unreachable, so an unconditional URL + # would make all jobs depend on pjrc.com / esp8266.com. Used only on + # the online-install fallback; the ghcr bundle already carries it. + case "$CORE_ID" in + teensy:avr) echo "BM_URL=https://www.pjrc.com/teensy/package_teensy_index.json" >> "$GITHUB_ENV" ;; + esp8266:esp8266) echo "BM_URL=https://arduino.esp8266.com/stable/package_esp8266com_index.json" >> "$GITHUB_ENV" ;; + *) echo "BM_URL=" >> "$GITHUB_ENV" ;; + esac + + # Restore the core + toolchain + shared libraries from the prebuilt ghcr + # bundle (arduino-cores-image), falling back to `arduino-cli core install` + # when it is unavailable. Replaces the old per-core actions/cache layer. + - name: Install Arduino core and libraries + uses: ./.github/actions/install-arduino-core + with: + core-id: ${{ env.CORE_ID }} + board-manager-url: ${{ env.BM_URL }} - name: Set Job Environment Variables run: | @@ -270,27 +242,6 @@ jobs: # WOLFSSL_EXAMPLES_ROOT is the repo root, not example location echo "WOLFSSL_EXAMPLES_ROOT = $WOLFSSL_EXAMPLES_ROOT" - - name: Cache Arduino Packages - uses: actions/cache@v5 - with: - path: | - ~/.arduino15 - ~/.cache/arduino - # Exclude staging directory from cache to save space - !~/.arduino15/staging - - # Arduino libraries - # Specific to Arduino CI Build (2 of 4) Arduinbo Release wolfSSL for Local Examples - # Include all libraries, as the latest Arduino-wolfSSL will only change upon release. - ~/Arduino/libraries - # Ensure wolfssl is not cached, we're always using the latest. See separate cache. - !~/Arduino/libraries/wolfssl - key: arduino-${{ runner.os }}-${{ env.CORE_ID }}-${{ hashFiles('Arduino/sketches/board_list.txt') }} - - restore-keys: | - arduino-${{ runner.os }}-${{ env.CORE_ID }}- - arduino-${{ runner.os }}- - - name: Get wolfssl-examples run: | # Fetch Arduino examples from the wolfssl-examples repo