Skip to content

ci-cd opt.#84

Open
gasbytes wants to merge 1 commit into
wolfSSL:mainfrom
gasbytes:ci-cd-opt
Open

ci-cd opt.#84
gasbytes wants to merge 1 commit into
wolfSSL:mainfrom
gasbytes:ci-cd-opt

Conversation

@gasbytes

@gasbytes gasbytes commented Jun 22, 2026

Copy link
Copy Markdown
Contributor
  • parallelize the build in openldap.yml and don't clone the full history;
  • removing master from the testing matrix of openldap (not a target
    version);
  • Enforce distinct aes-xts keys in both fips and non-fips modes (not only fips) to match wolfssl master, and update the test accordingly;
  • Skip this check when the provider is not used, since the default nettle
    library accepts the keys to be the same;
  • cache the pyenv build for old versions of wget in the wget workflow;
  • parallelize make check in the wget workflow;
  • shallow clone (+ branch only) where possible;
  • document why we are continuing on error for master (now main) branch
    for rsyslog;
  • move network manager comment to the top of the step and update the
    master branch to point at main instead. disable systemd too when
    building with meson.
    disable libbf when building on main. libbpf, which is just a
    library to write, load and interact with eBPF programs in the linux
    kernel. unrelated to provider's crypto since it's kernel related and
    not user-space.
  • update rsyslog workflow to skip false negatives (happens every other
    runs), added appropriate comments explaining the changes

@gasbytes gasbytes changed the title ci-cd opt. ci-cd opt. (where possible) Jun 22, 2026
@gasbytes gasbytes force-pushed the ci-cd-opt branch 3 times, most recently from e749297 to b322a8f Compare June 23, 2026 08:55
@gasbytes gasbytes self-assigned this Jun 23, 2026
@gasbytes gasbytes force-pushed the ci-cd-opt branch 4 times, most recently from 32262df to 686bdb1 Compare June 23, 2026 14:27
Copilot AI review requested due to automatic review settings July 7, 2026 11:20

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is a WIP focused on CI/CD runtime optimizations (primarily via shallow clones, caching, and more parallelism) and aligns AES-XTS behavior/tests with the wolfSSL provider’s stricter key validation.

Changes:

  • Update AES-XTS wrapper behavior to reject identical XTS key halves regardless of FIPS mode, and adjust the corresponding unit test to only enforce that behavior when the provider is in use.
  • Speed up multiple CI workflows by switching to git clone --depth=1 --branch ... and removing redundant git checkout steps.
  • Add/extend CI caching and parallelization (e.g., pyenv caching for older wget builds, parallel make where applicable).

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfssl-gnutls-wrapper/tests/test_aesxts.c Adjusts AES-XTS “bad key” test to be provider-aware via GNUTLS_NO_PROVIDER.
wolfssl-gnutls-wrapper/src/cipher.c Makes XTS identical-key-halves rejection unconditional (not only in FIPS mode).
.github/workflows/xmlsec.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/wireshark.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/wget.yml Adds pyenv caching and increases parallelism for test/build steps.
.github/workflows/tpm2-tools.yml Adds toolchain caching and converts several clones to shallow clones.
.github/workflows/samba-libs.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/qpdf.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/openldap.yml Uses shallow clone at the matrix ref and parallelizes build.
.github/workflows/networkmanager.yml Removes full-history checkout and uses shallow clones for dependencies.
.github/workflows/libvte.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/libvnc.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/libnice.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/libjcat.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/libcups.yml Uses shallow clones (and shallow submodules where applicable) for CUPS/libcups sources.
.github/workflows/libcamera.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
.github/workflows/gst-libav1.0.yml Uses shallow clones for GStreamer/FFmpeg/gst-libav sources to reduce CI time.
.github/workflows/fwupd.yml Uses shallow clone at the matrix ref to avoid extra checkout steps.
Comments suppressed due to low confidence (1)

.github/workflows/fwupd.yml:100

  • The if: expression for the patch step is syntactically invalid (missing an operator) and it references master, but the matrix uses main/version tags. This will prevent the workflow from running. If the intent is to apply the patch to everything except the target version, a single comparison is sufficient.
          git clone --depth=1 --branch ${{ matrix.fwupd_ref }} https://github.com/fwupd/fwupd.git

      - name: Patch fwupd tests for Debian Bookworm compatibility
        if: matrix.fwupd_ref != '1.9.26' matrix.fwupd_ref != 'master'
        working-directory: fwupd

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssl-gnutls-wrapper/tests/test_aesxts.c
Comment thread wolfssl-gnutls-wrapper/src/cipher.c
@gasbytes gasbytes force-pushed the ci-cd-opt branch 18 times, most recently from 17a89ff to 598f775 Compare July 8, 2026 16:08
@gasbytes gasbytes force-pushed the ci-cd-opt branch 2 times, most recently from 969383a to c1e1003 Compare July 8, 2026 16:22
- parallelize the build in openldap.yml and don't clone the full history;
- removing master from the testing matrix of openldap (not a target
  version);
- Enforce distinct aes-xts keys in both fips and non-fips modes (not only fips) to match wolfssl master, and update the test accordingly;
- Skip this check when the provider is not used, since the default nettle
library accepts the keys to be the same;
- cache the pyenv build for old versions of wget in the wget workflow;
- parallelize make check in the wget workflow;
- shallow clone (+ branch only) where possible;
- document why we are continuing on error for master (now main) branch
  for rsyslog;
- move network manager comment to the top of the step and update the
  master branch to point at main instead. disable systemd too when
  building with meson.
  disable libbf when building on main. libbpf, which is just a
  library to write, load and interact with eBPF programs in the linux
  kernel. unrelated to provider's crypto since it's kernel related and
  not user-space.
  Added missing dependencies post-update of the main branch + some new
  dependencies that were introduced into the target versions.
- update rsyslog workflow to skip false negatives (happens every other
  runs), added appropriate comments explaining the changes
@gasbytes gasbytes assigned SparkiDev and unassigned gasbytes Jul 9, 2026
@gasbytes gasbytes requested a review from SparkiDev July 9, 2026 12:30
@gasbytes gasbytes marked this pull request as ready for review July 9, 2026 12:32
@gasbytes gasbytes changed the title ci-cd opt. (where possible) ci-cd opt. Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants