tools: add non-default OpenSSL versions to the test-shared workflow #62862
+213
−37
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| name: Build Node.js (shared libraries) | ||
| description: > | ||
| Downloads the slim tarball built by the `build-tarball` job, extracts it, | ||
| installs Nix (+ cachix + sccache), then builds Node.js and runs the CI | ||
| test suite inside the pinned nix-shell. | ||
|
|
||
| inputs: | ||
| system: | ||
| description: System label (e.g. x86_64-linux, aarch64-darwin). | ||
| required: true | ||
| extra-nix-args: | ||
| description: Additional arguments appended to the nix-shell invocation. | ||
| required: false | ||
| default: '' | ||
| cachix-auth-token: | ||
| description: Cachix auth token for nodejs.cachix.org. | ||
| required: false | ||
| default: '' | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| if: ${{ github.event_name != 'workflow_dispatch' }} | ||
| with: | ||
| name: tarballs | ||
| path: tarballs | ||
|
|
||
| - name: Extract tarball | ||
| if: ${{ github.event_name != 'workflow_dispatch' }} | ||
| shell: bash | ||
| run: | | ||
| tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" | ||
| echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" | ||
|
|
||
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | ||
| with: | ||
| extra_nix_config: sandbox = true | ||
|
|
||
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | ||
| with: | ||
| name: nodejs | ||
| authToken: ${{ inputs.cachix-auth-token }} | ||
|
|
||
| - name: Configure sccache | ||
| if: github.base_ref == 'main' || github.ref_name == 'main' | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| with: | ||
| script: | | ||
| core.exportVariable('SCCACHE_GHA_ENABLED', 'on'); | ||
| core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on'); | ||
| core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || ''); | ||
| core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); | ||
| core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache'); | ||
|
|
||
| - name: Build Node.js and run tests | ||
| shell: bash | ||
| run: | | ||
| nix-shell \ | ||
| -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \ | ||
| --pure --keep TAR_DIR --keep FLAKY_TESTS \ | ||
| --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \ | ||
| --arg loadJSBuiltinsDynamically false \ | ||
| --arg useSeparateDerivationForV8 true \ | ||
| --arg ccache "${NIX_SCCACHE:-null}" \ | ||
| --arg devTools '[]' \ | ||
| --arg benchmarkTools '[]' \ | ||
| ${{ endsWith(inputs.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} | ||
| ${{ inputs.extra-nix-args }} \ | ||
| --run ' | ||
| make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS" | ||
| ' "$TAR_DIR/shell.nix" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| #!/bin/sh | ||
| # | ||
| # Emits a JSON matrix of OpenSSL releases to test Node.js against with | ||
| # shared libraries, consumed by the `build-openssl` job in | ||
| # .github/workflows/test-shared.yml. | ||
| # | ||
| # Inputs (env): | ||
| # SUPPORTED_OPENSSL_VERSION Latest OpenSSL release we support running | ||
| # tests with. Anything newer is emitted with | ||
| # "continue-on-error": true. | ||
| # | ||
| # Output (stdout): a JSON array with shape | ||
| # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...] | ||
| # | ||
| # Usage: SUPPORTED_OPENSSL_VERSION=4.0 ./tools/nix/collect-openssl-matrix.sh | ||
|
|
||
| set -eu | ||
|
|
||
| : "${SUPPORTED_OPENSSL_VERSION:?SUPPORTED_OPENSSL_VERSION must be set}" | ||
|
|
||
| here=$(cd -- "$(dirname -- "$0")" && pwd) | ||
|
|
||
| # 1. Enumerate every `openssl_N` / `openssl_N_M` attribute exposed by the | ||
| # repo-pinned nixpkgs. `tryEval` skips aliases that raise (e.g. | ||
| # `openssl_3_0` → renamed to `openssl_3`) so we only keep attributes | ||
| # that resolve to a real derivation with a `.version`. | ||
| nix_json=$(nix-instantiate --eval --strict --json -E " | ||
| let | ||
| pkgs = import $here/pkgs.nix {}; | ||
| names = builtins.filter | ||
| (n: builtins.match \"openssl_[0-9]+(_[0-9]+)?\" n != null) | ||
| (builtins.attrNames pkgs); | ||
| safe = builtins.filter (n: | ||
| let t = builtins.tryEval pkgs.\${n}; in | ||
| t.success && (builtins.tryEval t.value.version).success) names; | ||
| in map (n: { attr = n; version = pkgs.\${n}.version; }) safe | ||
| ") | ||
|
|
||
| # 2. Resolve the OpenSSL version the `build` job already covers (the default | ||
| # from sharedLibDeps.nix) so we can drop it from the matrix to avoid | ||
| # duplicate coverage. | ||
| default_openssl_version=$(nix-instantiate --eval --strict --json -E " | ||
| (import $here/sharedLibDeps.nix {}).openssl.version | ||
| " | jq -r .) | ||
|
|
||
| # 3. Fetch OpenSSL release versions from endoflife.date, keep entries that | ||
| # are either not past EOL or still under extended support, then pick the | ||
| # first nix attr whose `.version` starts with the release version | ||
| # followed by `.` / letter / end-of-string (so "3.6" matches "3.6.1", | ||
| # "1.1.1" matches "1.1.1w", and "1.1" does NOT swallow "1.1.1"). | ||
| # Releases without a matching nix attr and the one covered by default in | ||
| # `build` are dropped. | ||
| curl -sf https://endoflife.date/api/openssl.json \ | ||
|
Comment on lines
+46
to
+53
Contributor
There was a problem hiding this comment. Wouldn't it be better to have a manually curated list (by manually, I mean: the bot would open PRs to update the list every Sunday)? The logic is quite hard to grasp, and it's a lot of repetitive work that does not scale well if we wanted to add e.g. non-OpenSSL variants.
Member
Author
There was a problem hiding this comment. uff, there's an idea, nixpgs actually has BoringSSL too. I'd do this in a follow-up.
Member
Author
There was a problem hiding this comment. And it'd have to be the same job that does nixpkgs-unstable updates, else we'd run the risk of the two being open at the same time and not being in sync between their merges. |
||
| | jq -c \ | ||
| --argjson nix "$nix_json" \ | ||
| --arg supported "$SUPPORTED_OPENSSL_VERSION" \ | ||
| --arg default_version "$default_openssl_version" ' | ||
| (now | strftime("%Y-%m-%d")) as $today | | ||
| # Compare two dotted version strings as arrays of numbers | ||
| # (e.g. "4.1" > "4.0" => true, "4.0" > "4.0" => false). | ||
| def gt($a; $b): | ||
| ([$a, $b] | map(split(".") | map(tonumber))) as [$x, $y] | ||
| | ($x | length) as $n | ($y | length) as $m | ||
| | [range(0; if $n > $m then $n else $m end) | ||
| | ((($x[.]) // 0) - (($y[.]) // 0))] | ||
| | map(select(. != 0)) | (.[0] // 0) > 0; | ||
| [ .[] | ||
| | select(.eol == false or .eol > $today or .extendedSupport == true) | ||
| | .cycle as $v | ||
| | ($nix | ||
| | map(select(.version | test("^" + ($v | gsub("\\."; "\\.")) + "([.a-z]|$)"))) | ||
| | first) as $m | ||
| | select($m != null) | ||
| | select($m.version != $default_version) | ||
| | { version: $m.version, attr: $m.attr, "continue-on-error": gt($v; $supported) } | ||
| ]' | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would need to be moved to
inputs.extra-nix-argsThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I figured only extras (not shared between all uses of the composite action) would go through those inputs.