Merge pull request #657 from junaruga/wip/ci-upgrade-openssl #793
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
jobs: | |
ruby-versions: | |
uses: ruby/actions/.github/workflows/ruby_versions.yml@master | |
with: | |
engine: cruby-truffleruby | |
min_version: 2.7 | |
test: | |
needs: ruby-versions | |
name: >- | |
${{ matrix.os }} ${{ matrix.ruby }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
# ubuntu-22.04 uses OpenSSL 3.0, ubuntu-20.04 uses OpenSSL 1.1.1 | |
os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ] | |
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }} | |
exclude: | |
# uses non-standard MSYS2 OpenSSL 3 package | |
- { os: windows-latest, ruby: head } | |
- { os: windows-latest, ruby: truffleruby } | |
- { os: windows-latest, ruby: truffleruby-head } | |
- { os: macos-latest, ruby: truffleruby } | |
- { os: ubuntu-20.04, ruby: truffleruby } | |
include: | |
- { os: windows-latest, ruby: ucrt } | |
- { os: windows-latest, ruby: mswin } | |
steps: | |
- name: repo checkout | |
uses: actions/checkout@v3 | |
- name: load ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ matrix.ruby }} | |
- name: depends | |
run: bundle install | |
# Enable the verbose option in mkmf.rb to print the compiling commands. | |
- name: enable mkmf verbose | |
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV | |
if: runner.os == 'Linux' || runner.os == 'macOS' | |
- name: set flags to check compiler warnings. | |
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV | |
if: ${{ !matrix.skip-warnings }} | |
# Enable provider search path for OpenSSL 3.0 in MSYS2. | |
# Remove when Ruby 3.2 build is updated | |
- name: enable windows provider search path | |
run: echo "OPENSSL_MODULES=$($env:RI_DEVKIT)\$($env:MSYSTEM_PREFIX)\lib\ossl-modules" >> $env:GITHUB_ENV | |
if: runner.os == 'Windows' && matrix.ruby == '3.2' | |
- name: compile | |
run: rake compile -- --enable-debug | |
- name: test | |
run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1 | |
timeout-minutes: 5 | |
test-openssls: | |
name: >- | |
${{ matrix.openssl }} ${{ matrix.name-extra || '' }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest ] | |
ruby: [ "3.0" ] | |
openssl: | |
# https://www.openssl.org/source/ | |
- openssl-1.0.2u # EOL | |
- openssl-1.1.0l # EOL | |
- openssl-1.1.1v | |
- openssl-3.0.10 | |
- openssl-3.1.2 | |
# http://www.libressl.org/releases.html | |
- libressl-3.1.5 # EOL | |
- libressl-3.2.7 # EOL | |
- libressl-3.3.6 # EOL | |
- libressl-3.4.3 # EOL | |
- libressl-3.5.3 # EOL | |
- libressl-3.6.3 | |
- libressl-3.7.3 | |
- libressl-3.8.0 # Development release | |
fips-enabled: [ false ] | |
include: | |
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.0.10, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' } | |
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.1.2, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' } | |
steps: | |
- name: repo checkout | |
uses: actions/checkout@v3 | |
- name: prepare openssl | |
run: | | |
mkdir -p tmp/build-openssl && cd tmp/build-openssl | |
case ${{ matrix.openssl }} in | |
openssl-*) | |
curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz | |
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }} | |
# shared is required for 1.0.x. | |
./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \ | |
shared linux-x86_64 ${{ matrix.append-configure }} | |
make depend | |
;; | |
libressl-*) | |
curl -OL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${{ matrix.openssl }}.tar.gz | |
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }} | |
./configure --prefix=$HOME/.openssl/${{ matrix.openssl }} | |
;; | |
*) | |
false | |
;; | |
esac | |
make -j4 | |
make install_sw | |
- name: prepare openssl fips | |
run: make install_fips | |
working-directory: tmp/build-openssl/${{ matrix.openssl }} | |
if: matrix.fips-enabled | |
- name: set the open installed directory | |
run: > | |
sed -e "s|OPENSSL_DIR|$HOME/.openssl/${{ matrix.openssl }}|" | |
test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl > | |
test/openssl/fixtures/ssl/openssl_fips.cnf | |
if: matrix.fips-enabled | |
- name: set openssl config file path for fips. | |
run: echo "OPENSSL_CONF=$(pwd)/test/openssl/fixtures/ssl/openssl_fips.cnf" >> $GITHUB_ENV | |
if: matrix.fips-enabled | |
- name: set fips environment variable for testing. | |
run: echo "TEST_RUBY_OPENSSL_FIPS_ENABLED=true" >> $GITHUB_ENV | |
if: matrix.fips-enabled | |
- name: load ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ matrix.ruby }} | |
- name: depends | |
run: bundle install | |
- name: enable mkmf verbose | |
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV | |
if: runner.os == 'Linux' || runner.os == 'macOS' | |
- name: set flags to check compiler warnings. | |
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV | |
if: ${{ !matrix.skip-warnings }} | |
- name: compile | |
run: rake compile -- --enable-debug --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }} | |
- name: test | |
run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1 | |
timeout-minutes: 5 | |
if: ${{ !matrix.fips-enabled }} | |
# Run only the passing tests on the FIPS mode as a temporary workaround. | |
# TODO Fix other tests, and run all the tests on FIPS mode. | |
- name: test on fips mode | |
run: | | |
ruby -I./lib -ropenssl \ | |
-e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb}", &method(:require)' | |
if: matrix.fips-enabled |