Skip to content

Add cross-library compile-testing for wolfSSL products#10853

Merged
dgarske merged 1 commit into
wolfSSL:masterfrom
night1rider:cross-library-testing
Jul 9, 2026
Merged

Add cross-library compile-testing for wolfSSL products#10853
dgarske merged 1 commit into
wolfSSL:masterfrom
night1rider:cross-library-testing

Conversation

@night1rider

@night1rider night1rider commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

For each product (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) this builds wolfSSL and then builds the product against it, at both the product's latest release tag and its master branch. It only checks that they compile, it does not run any tests. If a wolfSSL change breaks a product's latest release on purpose, you say so in a commit message with breaks-=. A break on a product's master is not allowed and has to be fixed.

breaks-wolfssh=v1.5.0-stable

Note: wolfSSH v1.5.0-stable does not currently compile against wolfSSL. This commit did not break it, it adds the cross-library check that discovered the break. The token above declares it so the new check tracks it as a known break instead of failing red, until wolfSSH ships a fixed release.

@night1rider night1rider self-assigned this Jul 6, 2026
@night1rider night1rider marked this pull request as ready for review July 6, 2026 22:18
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

retest this please

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10853

No scan targets match the changed files in this PR. Review skipped.

@night1rider night1rider force-pushed the cross-library-testing branch from 061d2fd to eb56757 Compare July 6, 2026 23:32
@night1rider

Copy link
Copy Markdown
Contributor Author

Jenkins retest this please

@night1rider night1rider force-pushed the cross-library-testing branch 2 times, most recently from 6685600 to 0bf854c Compare July 7, 2026 18:59
@night1rider

Copy link
Copy Markdown
Contributor Author

Jenkins retest this please

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, but can you consider the following two items for optimizing the runner time/usage?

A. Shallow checkout for head legs (trivial, ~6 min saved, zero risk). Make depth conditional in cross-library.yml:
fetch-depth: ${{ inputs.ref_mode == 'latest' && 0 || 1 }}
fetch-tags: ${{ inputs.ref_mode == 'latest' }}
Keep full history on latest — check-break.sh fails loud (never fails open) if history is missing, so we must not starve it. Safe because head legs demonstrably never call it.

B. Build wolfSSL once per distinct config and share it (bigger win, moderate effort, ~6-8 min saved). Restructure so wolfSSL is built in a prerequisite job keyed on the wolfssl_configure set + wolfSSL SHA, uploaded as an artifact, and both compile legs download it. Dedupes 12 builds -> ~5. This is the largest structural saving but a real rewrite of the reusable workflow (adds artifact upload/download, ~10-20s each — still net positive). A lighter-touch variant is actions/cache keyed on hash(configure)+SHA, though within a single PR run the head/latest legs start together and both miss the cache, so a shared build job dedupes intra-run more reliably than cache does.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a GitHub Actions “cross-library” compile-check system that builds wolfSSL and then verifies that downstream wolfSSL products (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) still compile against it at both their default-branch HEAD and their latest release tag. It also adds an auditable “declared break” mechanism (commit-message token) to allow known breaks for latest release tags while still forbidding breaks against downstream HEAD.

Changes:

  • Added a reusable workflow engine (cross-library.yml) to build/install wolfSSL, resolve downstream refs, compile downstream products, and gate failures via declared-break logic.
  • Added per-product caller workflows (cross-*.yml) to run the engine in a matrix of {head, latest} for each downstream product.
  • Added supporting scripts (ref resolution, latest-tag polling, shared build helpers, wolfSSL build script, and declared-break scanner) plus documentation.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
.github/workflows/cross-library.yml Reusable workflow that builds wolfSSL, resolves downstream refs, compiles downstream, and enforces declared-break policy.
.github/workflows/cross-wolfssh.yml Caller workflow to compile-check wolfSSH against wolfSSL (head + latest).
.github/workflows/cross-wolfclu.yml Caller workflow to compile-check wolfCLU against wolfSSL (head + latest).
.github/workflows/cross-wolftpm.yml Caller workflow to compile-check wolfTPM against wolfSSL (head + latest).
.github/workflows/cross-wolfmqtt.yml Caller workflow to compile-check wolfMQTT against wolfSSL (head + latest).
.github/workflows/cross-wolfpkcs11.yml Caller workflow to compile-check wolfPKCS11 against wolfSSL (head + latest).
.github/workflows/cross-wolfprovider.yml Caller workflow to compile-check wolfProvider against wolfSSL (head + latest), incl. OpenSSL dev deps.
.github/workflows/cross-library/README.md Documentation for the cross-library system, scripts, and declared-break behavior.
.github/workflows/cross-library/scripts/build-wolfssl.sh Builds/installs wolfSSL from the current checkout with per-product configure flags.
.github/workflows/cross-library/scripts/common.sh Shared helpers for cloning, default-branch detection, latest-tag resolution, and autotools builds.
.github/workflows/cross-library/scripts/resolve-ref.sh Resolves head/latest to a concrete downstream ref.
.github/workflows/cross-library/scripts/latest-tag.sh Queries a remote for the highest version-sorted tag.
.github/workflows/cross-library/scripts/check-break.sh Scans wolfSSL commits for breaks-<product>=<tag> declarations over a release-window.
.github/workflows/cross-library/scripts/wolfssh.sh Product build script wrapper for wolfSSH (autotools).
.github/workflows/cross-library/scripts/wolfclu.sh Product build script wrapper for wolfCLU (autotools).
.github/workflows/cross-library/scripts/wolftpm.sh Product build script wrapper for wolfTPM (autotools).
.github/workflows/cross-library/scripts/wolfmqtt.sh Product build script wrapper for wolfMQTT (autotools).
.github/workflows/cross-library/scripts/wolfpkcs11.sh Product build script wrapper for wolfPKCS11 (autotools).
.github/workflows/cross-library/scripts/wolfprovider.sh Product build script for wolfProvider with additional --with-openssl handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/cross-library/scripts/resolve-ref.sh
Comment thread .github/workflows/cross-library.yml Outdated
Comment thread .github/workflows/cross-library/scripts/common.sh Outdated
Comment thread .github/workflows/cross-library/README.md Outdated
Comment thread .github/workflows/cross-library/scripts/wolfssh.sh Outdated
Comment thread .github/workflows/cross-library/scripts/wolftpm.sh Outdated
Comment thread .github/workflows/cross-library/scripts/wolfprovider.sh Outdated
Comment thread .github/workflows/cross-library/scripts/wolfpkcs11.sh Outdated
Comment thread .github/workflows/cross-library/scripts/wolfmqtt.sh Outdated
Comment thread .github/workflows/cross-library/scripts/wolfclu.sh Outdated
For each product (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) this builds wolfSSL and then builds the product against it, at both the product's latest release tag and its master branch. It only checks that they compile, it does not run any tests. If a wolfSSL change breaks a product's latest release on purpose, you say so in a commit message with breaks-<product>=<tag>. A break on a product's master is not allowed and has to be fixed.

breaks-wolfssh=v1.5.0-stable

Note: wolfSSH v1.5.0-stable does not currently compile against wolfSSL. This commit did not break it, it adds the cross-library check that discovered the break. The token above declares it so the new check tracks it as a known break instead of failing red, until wolfSSH ships a fixed release.
@night1rider night1rider force-pushed the cross-library-testing branch from 0bf854c to e2f1c54 Compare July 8, 2026 22:41
@dgarske dgarske merged commit 9e72e8d into wolfSSL:master Jul 9, 2026
324 of 327 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants