-
Notifications
You must be signed in to change notification settings - Fork 998
574 lines (547 loc) · 34.4 KB
/
Copy pathos-check.yml
File metadata and controls
574 lines (547 loc) · 34.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
name: Ubuntu-Macos-Windows Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'release/**' ]
# Docs-only changes cannot affect the build/test matrix - skip the
# run for them. Keep this list narrow (markdown + doc/ only);
# do not add cert/test data extensions here.
paths-ignore:
- '**/*.md'
- 'doc/**'
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '*' ]
paths-ignore:
- '**/*.md'
- 'doc/**'
# Weekday-morning cron (10:00 UTC) seeds the master-scoped ccache that PR runs restore: the
# linux and macOS jobs re-run --build-only (compile only, no tests) on the
# default branch, where their ccache writes are visible to every PR. Only
# Windows is skipped on schedule (see its job `if`) - seeding the linux and
# macOS shards is where the cold-cache cost lives.
schedule:
- cron: '0 10 * * 1-5'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
# Ubuntu config matrix. macOS is covered separately by make_check_macos
# below with a curated subset; configs here either have equivalent macOS
# coverage there or exercise no Darwin-specific code.
#
# The config list is built by a small fixed pool of shard runners: every
# shard job runs the generic .github/scripts/parallel-make-check.py on
# the same JSON list below with --shard K/N, which deals the configs
# across the N shards greedily by their "minutes" weight so every shard
# carries a similar load. Within a shard each config builds in its own
# out-of-tree ("VPATH") build directory off one checkout/autogen, and
# the checks run on a pool of one-per-CPU worker threads, longest first;
# per-config times and thread/CPU efficiency land in each shard's step
# summary (same machinery as smoke-test.yml). bubblewrap lets the script
# tests re-exec under bwrap --unshare-net so concurrent checks cannot
# collide on TCP/UDP ports (do not set AM_BWRAPPED here - that would
# disable it).
make_check_linux:
name: make check linux
strategy:
fail-fast: false
matrix:
shard: [1, 2, 3, 4]
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
# The full set measures ~272 thread-minutes cold (~90 warm), i.e. about
# 68 thread-minutes per shard / 4 worker threads: ~20 min of wall per
# shard cold and well under 10 warm, plus ~2-3 min of
# checkout/deps/autogen overhead.
timeout-minutes: 30
env:
CCACHE_MAXSIZE: 500M
steps:
- uses: actions/checkout@v5
# tlslite-ng is consumed by scripts/multi-msg-record.test (run from
# `make check`); without it that test is SKIPped.
- uses: actions/setup-python@v6
with:
python-version: '3.x'
- run: pip install tlslite-ng
- name: Install dependencies
uses: ./.github/actions/install-apt-deps
with:
packages: autoconf automake libtool build-essential bubblewrap ccache
ghcr-debs-tag: ubuntu-24.04-minimal
# Ubuntu 24.04 can restrict unprivileged user namespaces via AppArmor,
# which would stop the test scripts from re-execing under
# bwrap --unshare-net (their port-isolation mechanism).
- name: Allow unprivileged user namespaces (for bwrap)
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
# ccache's default cache dir (XDG ~/.cache/ccache) is what the
# actions/cache step below saves; pin it explicitly so the two
# cannot drift apart (e.g. if a later change sets CCACHE_DIR).
- name: Pin ccache directory
run: echo "CCACHE_DIR=$HOME/.cache/ccache" >> "$GITHUB_ENV"
# PRs restore the cache the weekday seed writes but never save it, so
# PR runs add no per-shard ccache entries to the Actions cache. The
# seed (schedule) saves below.
- name: Restore ccache
uses: actions/cache/restore@v5
with:
path: ~/.cache/ccache
# Per-shard cache lineage: each shard compiles a distinct config
# subset. Re-balancing "minutes" can move configs between shards;
# that costs one rebuild of whatever moved.
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}-${{ github.sha }}
restore-keys: |
os-check-linux-ccache-${{ matrix.shard }}-${{ github.base_ref || github.ref_name }}-
os-check-linux-ccache-${{ matrix.shard }}-
os-check-linux-ccache-
# On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the
# saved master ccache is reseeded from scratch rather than only
# accumulating deltas. PR/push runs leave it unset and keep their warm hits.
- name: Force fresh compiles on scheduled reseed
if: github.event_name == 'schedule'
run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
- name: autogen
run: |
ccache -z
./autogen.sh
# The JSON list below is the former runner-per-config matrix; add new
# configs here as new entries (a "comment" key is allowed for notes).
# "minutes" is the expected duration driving longest-first scheduling
# and shard balancing: take it from the Minutes column of a previous
# run's step summary, or omit it for a new config (defaults to 1) and
# refresh later - a stale value only packs the schedule worse. The
# list is kept sorted by minutes for readability, but the schedule
# sorts by the values, not list order.
# The CFLAGS that were previously passed to configure are applied at
# make time via --cflags, unchanged. --private-dir=certs gives every
# build dir its own certs/ copy: crl-gen-openssl.test writes generated
# CRLs under certs/crl/, which would race through the shared VPATH
# certs symlink.
- name: Build and make check this shard's configs (parallel, out-of-tree)
run: |
cat > "$RUNNER_TEMP/os-check-configs.json" <<'EOF'
[
{"name": "all-no-client-auth", "minutes": 9.0,
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "all-dilithium-cryptocb", "minutes": 8.9,
"configure": ["--enable-all", "--enable-dilithium", "--enable-cryptocb",
"--enable-cryptocbutils", "--enable-pkcallbacks"]},
{"name": "all-haproxy-quic", "minutes": 8.6,
"configure": ["--enable-all", "--enable-haproxy", "--enable-quic"]},
{"name": "all-asn-template", "minutes": 8.5,
"configure": ["--enable-all", "--enable-asn=template"]},
{"name": "all-asn-template-old-oid-sum", "minutes": 8.5,
"configure": ["--enable-all", "--enable-asn=template", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]},
{"name": "all-asn-original-old-oid-sum", "minutes": 8.4,
"configure": ["--enable-all", "--enable-asn=original", "CPPFLAGS=-DWOLFSSL_OLD_OID_SUM"]},
{"name": "all-asn-original", "minutes": 8.3,
"configure": ["--enable-all", "--enable-asn=original"]},
{"name": "all-certgencache", "minutes": 8.3,
"configure": ["--enable-all", "--enable-certgencache"]},
{"name": "all-dtls13-frag-ch-no-mlkem", "minutes": 8.2,
"configure": ["--enable-all", "--enable-dtls13", "--enable-dtls-frag-ch",
"--disable-mlkem"]},
{"name": "all-check-mem-zero", "minutes": 7.9,
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_CHECK_MEM_ZERO"]},
{"name": "all-secure-renegotiation", "minutes": 7.8,
"configure": ["--enable-all", "--enable-secure-renegotiation"]},
{"name": "all-debug-certs", "minutes": 7.8,
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_DEBUG_CERTS"]},
{"name": "all-hash-keep", "minutes": 7.8,
"configure": ["--enable-all", "CPPFLAGS=-DWOLFSSL_HASH_KEEP"]},
{"name": "all-no-aes-192-256", "minutes": 7.5,
"configure": ["--enable-all", "CPPFLAGS=-DNO_AES_192 -DNO_AES_256"]},
{"name": "all-writedup", "minutes": 6.9,
"configure": ["--enable-all", "--enable-writedup"]},
{"name": "all-no-server", "minutes": 5.0,
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER"]},
{"name": "nonblock-sp-c32", "minutes": 5.0,
"comment": "Same but forcing SP_WORD_SIZE=32 to exercise sp_c32.c on a 64-bit host; the two builds together cover both generated variants of mod_exp_<words>_nb / RSA / DH wrappers.",
"configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock",
"--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock",
"CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"]},
{"name": "all-no-server-no-client-auth", "minutes": 4.8,
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "all-no-client-no-client-auth", "minutes": 4.4,
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "all-no-client", "minutes": 4.2,
"configure": ["--enable-all", "CPPFLAGS=-DNO_WOLFSSL_CLIENT"]},
{"name": "nonblock-sp-c64", "minutes": 4.2,
"comment": "Non-blocking ECC/Curve25519/RSA/DH on the host default SP word size (sp_c64.c on x86_64); RSA/DH non-block require RSA_LOW_MEM (the CRT path is not supported in non-block mode).",
"configure": ["--enable-curve25519=nonblock", "--enable-ecc=nonblock",
"--enable-rsa=nonblock", "--enable-dh=nonblock", "--enable-sp=yes,nonblock",
"CPPFLAGS=-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"]},
{"name": "tls13-dtls13-session-misc", "minutes": 3.3,
"configure": ["--enable-tls13", "--enable-session-ticket", "--enable-dtls",
"--enable-dtls13", "--enable-opensslextra", "--enable-sessioncerts",
"CPPFLAGS=-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM"]},
{"name": "dtls-cid-renego-psk", "minutes": 3.3,
"configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13",
"--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm",
"--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]},
{"name": "dtls13-ocspstapling-cert-cb", "minutes": 3.1,
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-ocspstapling",
"--enable-ocspstapling2", "--enable-cert-setup-cb", "--enable-sessioncerts"]},
{"name": "user-settings-all-compat", "minutes": 3.0,
"comment": "user_settings_all.h with the compatibility layer enabled by flipping its \"#if 0\" block, as a build-dir copy.",
"user_settings": "examples/configs/user_settings_all.h",
"cflags": "",
"configure": ["--enable-usersettings"], "prepare": [["sed", "-i", "s/if 0/if 1/", "user_settings.h"]]},
{"name": "dtls13-earlydata-psk-no-hrr", "minutes": 2.9,
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-earlydata",
"--enable-session-ticket", "--enable-psk", "CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME"]},
{"name": "ocsp-responder-nonblock-maxfrag", "minutes": 2.8,
"configure": ["--enable-ocsp", "--enable-ocsp-responder", "--enable-ocspstapling",
"CPPFLAGS=-DWOLFSSL_NONBLOCK_OCSP", "--enable-maxfragment"]},
{"name": "dtls-records-span-datagrams", "minutes": 2.7,
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-dtls-frag-ch",
"--enable-dtls-mtu", "CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS"]},
{"name": "opensslextra-no-ca-names", "minutes": 2.6,
"configure": ["--enable-opensslextra", "CPPFLAGS=-DWOLFSSL_NO_CA_NAMES"]},
{"name": "sessionexport-dtls13", "minutes": 2.6,
"configure": ["--enable-sessionexport", "--enable-dtls", "--enable-dtls13"]},
{"name": "lms-xmss-verify-only", "minutes": 2.5,
"configure": ["--enable-lms=small,verify-only", "--enable-xmss=small,verify-only"]},
{"name": "opensslall-rng-seed-cb", "minutes": 2.2,
"configure": ["--enable-opensslall", "--enable-opensslextra", "CPPFLAGS=-DWC_RNG_SEED_CB"]},
{"name": "opensslall-ecc-zero-hash", "minutes": 2.2,
"configure": ["--enable-opensslall", "--enable-ecc", "CPPFLAGS=-DWC_ALLOW_ECC_ZERO_HASH"]},
{"name": "she-ext-cmac-no-she-misc", "minutes": 2.2,
"configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb",
"--enable-cryptocbutils",
"CPPFLAGS=-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY"]},
{"name": "she-std-cmac-cryptocb-sw-default", "minutes": 2.2,
"configure": ["--enable-she=standard", "--enable-cmac", "--enable-cryptocb",
"--enable-cryptocbutils", "CPPFLAGS=-DWC_SHE_SW_DEFAULT"]},
{"name": "sniffer-curves-enckeys", "minutes": 2.2,
"configure": ["--enable-sniffer", "--enable-curve25519", "--enable-curve448",
"--enable-enckeys", "CPPFLAGS=-DWOLFSSL_DH_EXTRA"]},
{"name": "cryptocb-keygen-utils-aes-setkey", "minutes": 2.2,
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils",
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
{"name": "cryptocb-utils-setkey-free", "minutes": 2.2,
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm",
"--enable-cryptocbutils=setkey,free", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
{"name": "cryptocb-keygen-utils-export", "minutes": 2.2,
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=export"]},
{"name": "cryptocb-keygen-export-key", "minutes": 2.2,
"configure": ["--enable-cryptocb", "--enable-keygen",
"CPPFLAGS=-DWOLF_CRYPTO_CB_EXPORT_KEY"]},
{"name": "cryptocb-utils-setkey-export-find", "minutes": 2.2,
"configure": ["--enable-cryptocb", "--enable-keygen",
"--enable-cryptocbutils=setkey,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]},
{"name": "opensslall-rng-seed-cb-no-getpid", "minutes": 2.1,
"configure": ["--enable-opensslall", "--enable-opensslextra",
"CPPFLAGS=-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID"]},
{"name": "dtls13-ignore-pt-alert", "minutes": 2.1,
"configure": ["--enable-dtls", "--enable-dtls13", "--enable-tls13",
"CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC"]},
{"name": "cryptocb-utils-setkey-free-export", "minutes": 2.1,
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-aesgcm",
"--enable-cryptocbutils=setkey,free,export", "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
{"name": "cryptocb-aesgcm-setkey-free", "minutes": 2.1,
"configure": ["--enable-cryptocb", "--enable-aesgcm",
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},
{"name": "opensslextra-x509small", "minutes": 2.0,
"configure": ["--enable-opensslextra=x509small"]},
{"name": "cryptocb-keygen-find", "minutes": 2.0,
"configure": ["--enable-cryptocb", "--enable-keygen", "CPPFLAGS=-DWOLF_CRYPTO_CB_FIND"]},
{"name": "user-settings-all", "minutes": 2.0,
"comment": "The user_settings.h header-driven build path is distinct from the autotools-driven --enable-all path; full make check.",
"user_settings": "examples/configs/user_settings_all.h",
"cflags": "",
"configure": ["--enable-usersettings"]},
{"name": "she-ext-cryptocb-sw-default", "minutes": 1.9,
"configure": ["--enable-she=extended", "--enable-cryptocb", "--enable-cryptocbutils",
"CPPFLAGS=-DWC_SHE_SW_DEFAULT"]},
{"name": "cryptocb-aesgcm-aes-setkey", "minutes": 1.9,
"configure": ["--enable-cryptocb", "--enable-aesgcm",
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY"]},
{"name": "cryptocb-keygen-utils-setkey", "minutes": 1.9,
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]},
{"name": "pkcs7-rsa-pss", "minutes": 1.9,
"comment": "PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)",
"configure": ["--enable-pkcs7", "CPPFLAGS=-DWC_RSA_PSS"]},
{"name": "blind-private-key", "minutes": 1.9,
"configure": ["CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY"]},
{"name": "certgen-no-tls", "minutes": 1.9,
"configure": ["--enable-certreq", "--enable-certext", "--enable-certgen",
"--disable-secure-renegotiation-info", "CPPFLAGS=-DNO_TLS"]},
{"name": "no-sys-ca-certs", "minutes": 1.8, "configure": ["--disable-sys-ca-certs"]},
{"name": "no-client-auth", "minutes": 1.8,
"configure": ["CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "harden-tls", "minutes": 1.7, "configure": ["--enable-harden-tls"]},
{"name": "no-sni-ecc-tls13-scr-info", "minutes": 1.7,
"configure": ["--disable-sni", "--disable-ecc", "--disable-tls13",
"--disable-secure-renegotiation-info"]},
{"name": "default", "minutes": 1.6},
{"name": "no-client-no-client-auth", "minutes": 1.6,
"configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "ascon-experimental", "minutes": 1.6,
"configure": ["--enable-ascon", "--enable-experimental"]},
{"name": "ascon-unroll-experimental", "minutes": 1.6,
"configure": ["--enable-ascon", "CPPFLAGS=-DWOLFSSL_ASCON_UNROLL",
"--enable-experimental"]},
{"name": "wolfssl-extra", "minutes": 1.6, "configure": ["CPPFLAGS=-DWOLFSSL_EXTRA"]},
{"name": "coding-no", "minutes": 1.5, "configure": ["--enable-coding=no"]},
{"name": "she-ext-cmac-cryptocb", "minutes": 1.3,
"configure": ["--enable-she=extended", "--enable-cmac", "--enable-cryptocb",
"--enable-cryptocbutils"]},
{"name": "she-std-cmac-no-import-m123", "minutes": 1.3,
"configure": ["--enable-she=standard", "--enable-cmac",
"CPPFLAGS=-DNO_WC_SHE_IMPORT_M123"]},
{"name": "pkcs7", "minutes": 1.3,
"comment": "PKCS#7 without RSA-PSS",
"configure": ["--enable-pkcs7"]},
{"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3,
"configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm",
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},
{"name": "she-std-cmac", "minutes": 1.2,
"configure": ["--enable-she=standard", "--enable-cmac"]},
{"name": "no-verify-oid-fpki", "minutes": 1.2,
"configure": ["CPPFLAGS=-DNO_VERIFY_OID -DWOLFSSL_FPKI"]},
{"name": "no-verify-oid", "minutes": 1.1, "configure": ["CPPFLAGS=-DNO_VERIFY_OID"]},
{"name": "no-server-no-client-auth", "minutes": 1.0,
"configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH"]},
{"name": "no-wolfssl-client", "minutes": 1.0,
"configure": ["CPPFLAGS=-DNO_WOLFSSL_CLIENT"]},
{"name": "testwolfcrypt-ca", "minutes": 1.0,
"comment": "user_settings.h builds running only testwolfcrypt: pure crypto, no platform-specific features, so Linux-only coverage is sufficient. Not converted: user_settings_pq.h (requires --enable-experimental) and user_settings_baremetal.h (static memory, custom platform).",
"user_settings": "examples/configs/user_settings_ca.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-dtls13", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_dtls13.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-ebsnet", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_EBSnet.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-eccnonblock", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_eccnonblock.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-curve25519nonblock", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_curve25519nonblock.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-min-ecc", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_min_ecc.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-openssl-compat", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_openssl_compat.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-pkcs7", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_pkcs7.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-rsa-only", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_rsa_only.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-template", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_template.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-tls12", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_tls12.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-tls13", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_tls13.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-wolfboot-keytools", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_wolfboot_keytools.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-wolfssh", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_wolfssh.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "testwolfcrypt-wolftpm", "minutes": 1.0,
"user_settings": "examples/configs/user_settings_wolftpm.h",
"cflags": "",
"configure": ["--enable-usersettings", "--disable-examples"], "check": false, "run": [["wolfcrypt/test/testwolfcrypt"]]},
{"name": "no-wolfssl-server", "minutes": 0.9,
"configure": ["CPPFLAGS=-DNO_WOLFSSL_SERVER"]},
{"name": "dtls13-client-minimal", "minutes": 0.9,
"comment": "Minimal DTLS 1.3 client-only build with the SHA-224/384/512/3 hash families disabled. SHA-256 (used by TLS_AES_128_GCM_SHA256) and SHA-1 remain enabled.",
"configure": ["--enable-dtls13", "--disable-tlsv12", "--disable-oldtls", "--disable-rsa",
"--disable-dh", "--disable-aescbc", "--disable-aesecb", "--disable-md5",
"--disable-chacha", "--disable-poly1305", "--disable-errorstrings",
"--disable-asn-print", "--disable-eccshamir", "--disable-base64encode",
"--disable-coding", "--disable-sni", "--disable-sha224", "--disable-sha384",
"--disable-sha512", "--disable-sha3", "--enable-aesgcm=small", "--enable-sp-math",
"--enable-sp=smallec256", "--disable-sp-asm",
"CPPFLAGS=-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO -DWOLFSSL_DTLS_ONLY"]},
{"name": "opensslextra-no-filesystem-no-bio", "minutes": 0.9,
"configure": ["--enable-opensslextra", "--disable-filesystem", "CPPFLAGS=-DNO_BIO"]},
{"name": "no-examples-no-malloc", "minutes": 0.8,
"configure": ["--disable-examples", "CPPFLAGS=-DWOLFSSL_NO_MALLOC"]}
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--shard "${{ matrix.shard }}/${{ strategy.job-total }}" \
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
--private-dir=certs "$RUNNER_TEMP/os-check-configs.json"
# Seed runs (schedule) refresh the master-scoped ccache that PR runs
# restore above; PR/push runs never save, so PRs add nothing.
- name: Save ccache (seed only)
if: github.event_name == 'schedule'
uses: actions/cache/save@v5
with:
path: ~/.cache/ccache
key: os-check-linux-ccache-${{ matrix.shard }}-${{ github.ref_name }}-${{ github.sha }}
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: os-check-linux-logs-${{ matrix.shard }}
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore
# Curated macOS subset. Each config exists for a Darwin-specific reason;
# do not add entries that only re-test platform-agnostic crypto already
# covered by the corresponding Linux run.
#
# All configs build on ONE macos runner via
# .github/scripts/parallel-make-check.py, each in its own out-of-tree
# ("VPATH") build directory. Unlike Linux, the checks run one config at
# a time (--threads 1): macOS has no bubblewrap, so concurrent make
# checks would race on TCP/UDP ports. The user_settings_all.h entry is
# the former macOS half of the make_user_settings job, and the
# apple-native-cert-validation entry is the former standalone
# macos-apple-native-cert-validation.yml workflow.
make_check_macos:
name: make check macos
# Runs on PRs/pushes and on the weekday ccache-seed cron, where it
# --build-only-seeds the macOS ccache (like the linux shards). Only
# Windows is skipped on schedule (no ccache to seed).
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: macos-latest
# Serial checks: roughly the sum of the per-config minutes plus
# one-time setup, with headroom for a cold ccache.
timeout-minutes: 45
steps:
- uses: actions/checkout@v5
# tlslite-ng is consumed by scripts/multi-msg-record.test (run from
# `make check`); without it that test is SKIPped.
- uses: actions/setup-python@v6
with:
python-version: '3.x'
- run: pip install tlslite-ng
# The macos runner images ship without autotools (the old per-config
# matrix got them via wolfSSL/actions-build-autotools-project).
- name: Install autotools (brew)
run: brew install autoconf automake libtool
# ccache via the cross-platform composite (brew install; compiler
# symlinks on PATH). The script is told --cc= so it does not also
# prefix the compiler with "ccache" - the PATH masquerade already
# intercepts cc/clang.
- name: Set up ccache
uses: ./.github/actions/ccache-setup
with:
workflow-id: os-check-macos
max-size: 500M
# PRs read the weekday-seeded macOS ccache; only the seed saves.
read-only: ${{ github.event_name == 'pull_request' }}
# Same JSON config format as make_check_linux above; "minutes" only
# orders the serial schedule here (longest first).
- name: Build and make check all configs (serial checks, out-of-tree)
run: |
cat > "$RUNNER_TEMP/os-check-macos-configs.json" <<'EOF'
[
{"name": "all-asn-template", "minutes": 3.0,
"comment": "Broad key-crypto + Security.framework + opensslextra in one run (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable cryptocb or SHE, so those have their own entries.",
"configure": ["--enable-all", "--enable-asn=template"]},
{"name": "dtls-cid-renego-psk", "minutes": 1.5,
"comment": "DTLS over BSD sockets on Darwin: connection-ID, fragmented ClientHello, secure renegotiation, PSK, AES-CCM, null cipher - exercises recvmsg/MTU/datagram handling that differs from Linux.",
"configure": ["--enable-dtls", "--enable-dtlscid", "--enable-dtls13",
"--enable-secure-renegotiation", "--enable-psk", "--enable-aesccm",
"--enable-nullcipher", "CPPFLAGS=-DWOLFSSL_STATIC_RSA"]},
{"name": "user-settings-all", "minutes": 1.5,
"comment": "The user_settings.h header-driven build path under Apple clang: macOS-specific guard ordering (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) is distinct from the autotools --enable-all path above.",
"user_settings": "examples/configs/user_settings_all.h",
"cflags": "",
"configure": ["--enable-usersettings"]},
{"name": "apple-native-cert-validation", "minutes": 1.5,
"comment": "Former macos-apple-native-cert-validation.yml workflow: WOLFSSL_APPLE_NATIVE_CERT_VALIDATION delegates chain verification to Security.framework instead of wolfSSL's verifier, and the TEST define enables its client tests in make check. CFLAGS go to configure (with \"cflags\": \"\" so the make-time --cflags do not override them), exactly like the old standalone job.",
"cflags": "",
"configure": ["CFLAGS=-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST"]},
{"name": "cryptocb-keygen-utils-setkey", "minutes": 1.0,
"comment": "Crypto-callback dispatcher under Apple clang. Not covered by --enable-all; verifies the cryptocb find/setkey/keygen path compiles and runs on the macOS toolchain.",
"configure": ["--enable-cryptocb", "--enable-keygen", "--enable-cryptocbutils=setkey"]},
{"name": "default", "minutes": 0.5,
"comment": "Default build: --enable-sys-ca-certs is auto-on on macOS, so this exercises Apple keychain / system trust loading in src/ssl_load.c that has no Linux equivalent.",
"configure": []},
{"name": "no-sys-ca-certs", "minutes": 0.5,
"comment": "Validates the configure-time auto-enable override and that the build compiles out the Security.framework code path cleanly - macOS is the only OS where sys-ca-certs is auto-on by default.",
"configure": ["--disable-sys-ca-certs"]}
]
EOF
.github/scripts/parallel-make-check.py \
${{ github.event_name == 'schedule' && '--build-only' || '' }} \
--threads 1 --cc= \
--cflags='-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE' \
--private-dir=certs "$RUNNER_TEMP/os-check-macos-configs.json"
- name: ccache stats
if: always()
run: ccache -s || true
- name: Upload logs on failure
if: failure()
uses: actions/upload-artifact@v6
with:
retention-days: 7
name: os-check-macos-logs
path: |
build-*/make-check.log
build-*/test-suite.log
build-*/config.log
if-no-files-found: ignore
windows_build:
name: Windows Build Test
# Skipped on the weekday ccache-seed cron: no ccache to seed here.
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'schedule') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
arch: [ x64, Win32, ARM64 ]
# This should be a safe limit for the tests to run.
timeout-minutes: 6
env:
# Path to the solution file relative to the root of the project.
SOLUTION_FILE_PATH: wolfssl64.sln
# Configuration type to build.
# You can convert this to a build matrix if you need coverage of multiple configuration types.
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Release
steps:
- uses: actions/checkout@v5
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v3
- name: Restore NuGet packages
working-directory: ${{env.GITHUB_WORKSPACE}}
run: nuget restore ${{env.SOLUTION_FILE_PATH}}
- name: Build
working-directory: ${{env.GITHUB_WORKSPACE}}
# Add additional options to the MSBuild command line here (like platform or verbosity level).
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
- if: ${{ matrix.arch != 'ARM64' }}
name: Run Test
working-directory: ${{env.GITHUB_WORKSPACE}}
run: Release/${{matrix.arch}}/testsuite.exe