Add cross-library compile-testing for wolfSSL products#10853
Conversation
|
retest this please |
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10853
No scan targets match the changed files in this PR. Review skipped.
061d2fd to
eb56757
Compare
|
Jenkins retest this please |
6685600 to
0bf854c
Compare
|
Jenkins retest this please |
dgarske
left a comment
There was a problem hiding this comment.
This is great, but can you consider the following two items for optimizing the runner time/usage?
A. Shallow checkout for head legs (trivial, ~6 min saved, zero risk). Make depth conditional in cross-library.yml:
fetch-depth: ${{ inputs.ref_mode == 'latest' && 0 || 1 }}
fetch-tags: ${{ inputs.ref_mode == 'latest' }}
Keep full history on latest — check-break.sh fails loud (never fails open) if history is missing, so we must not starve it. Safe because head legs demonstrably never call it.
B. Build wolfSSL once per distinct config and share it (bigger win, moderate effort, ~6-8 min saved). Restructure so wolfSSL is built in a prerequisite job keyed on the wolfssl_configure set + wolfSSL SHA, uploaded as an artifact, and both compile legs download it. Dedupes 12 builds -> ~5. This is the largest structural saving but a real rewrite of the reusable workflow (adds artifact upload/download, ~10-20s each — still net positive). A lighter-touch variant is actions/cache keyed on hash(configure)+SHA, though within a single PR run the head/latest legs start together and both miss the cache, so a shared build job dedupes intra-run more reliably than cache does.
There was a problem hiding this comment.
Pull request overview
This PR introduces a GitHub Actions “cross-library” compile-check system that builds wolfSSL and then verifies that downstream wolfSSL products (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) still compile against it at both their default-branch HEAD and their latest release tag. It also adds an auditable “declared break” mechanism (commit-message token) to allow known breaks for latest release tags while still forbidding breaks against downstream HEAD.
Changes:
- Added a reusable workflow engine (
cross-library.yml) to build/install wolfSSL, resolve downstream refs, compile downstream products, and gate failures via declared-break logic. - Added per-product caller workflows (
cross-*.yml) to run the engine in a matrix of{head, latest}for each downstream product. - Added supporting scripts (ref resolution, latest-tag polling, shared build helpers, wolfSSL build script, and declared-break scanner) plus documentation.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/cross-library.yml | Reusable workflow that builds wolfSSL, resolves downstream refs, compiles downstream, and enforces declared-break policy. |
| .github/workflows/cross-wolfssh.yml | Caller workflow to compile-check wolfSSH against wolfSSL (head + latest). |
| .github/workflows/cross-wolfclu.yml | Caller workflow to compile-check wolfCLU against wolfSSL (head + latest). |
| .github/workflows/cross-wolftpm.yml | Caller workflow to compile-check wolfTPM against wolfSSL (head + latest). |
| .github/workflows/cross-wolfmqtt.yml | Caller workflow to compile-check wolfMQTT against wolfSSL (head + latest). |
| .github/workflows/cross-wolfpkcs11.yml | Caller workflow to compile-check wolfPKCS11 against wolfSSL (head + latest). |
| .github/workflows/cross-wolfprovider.yml | Caller workflow to compile-check wolfProvider against wolfSSL (head + latest), incl. OpenSSL dev deps. |
| .github/workflows/cross-library/README.md | Documentation for the cross-library system, scripts, and declared-break behavior. |
| .github/workflows/cross-library/scripts/build-wolfssl.sh | Builds/installs wolfSSL from the current checkout with per-product configure flags. |
| .github/workflows/cross-library/scripts/common.sh | Shared helpers for cloning, default-branch detection, latest-tag resolution, and autotools builds. |
| .github/workflows/cross-library/scripts/resolve-ref.sh | Resolves head/latest to a concrete downstream ref. |
| .github/workflows/cross-library/scripts/latest-tag.sh | Queries a remote for the highest version-sorted tag. |
| .github/workflows/cross-library/scripts/check-break.sh | Scans wolfSSL commits for breaks-<product>=<tag> declarations over a release-window. |
| .github/workflows/cross-library/scripts/wolfssh.sh | Product build script wrapper for wolfSSH (autotools). |
| .github/workflows/cross-library/scripts/wolfclu.sh | Product build script wrapper for wolfCLU (autotools). |
| .github/workflows/cross-library/scripts/wolftpm.sh | Product build script wrapper for wolfTPM (autotools). |
| .github/workflows/cross-library/scripts/wolfmqtt.sh | Product build script wrapper for wolfMQTT (autotools). |
| .github/workflows/cross-library/scripts/wolfpkcs11.sh | Product build script wrapper for wolfPKCS11 (autotools). |
| .github/workflows/cross-library/scripts/wolfprovider.sh | Product build script for wolfProvider with additional --with-openssl handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
For each product (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) this builds wolfSSL and then builds the product against it, at both the product's latest release tag and its master branch. It only checks that they compile, it does not run any tests. If a wolfSSL change breaks a product's latest release on purpose, you say so in a commit message with breaks-<product>=<tag>. A break on a product's master is not allowed and has to be fixed. breaks-wolfssh=v1.5.0-stable Note: wolfSSH v1.5.0-stable does not currently compile against wolfSSL. This commit did not break it, it adds the cross-library check that discovered the break. The token above declares it so the new check tracks it as a known break instead of failing red, until wolfSSH ships a fixed release.
0bf854c to
e2f1c54
Compare
For each product (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) this builds wolfSSL and then builds the product against it, at both the product's latest release tag and its master branch. It only checks that they compile, it does not run any tests. If a wolfSSL change breaks a product's latest release on purpose, you say so in a commit message with breaks-=. A break on a product's master is not allowed and has to be fixed.
breaks-wolfssh=v1.5.0-stable
Note: wolfSSH v1.5.0-stable does not currently compile against wolfSSL. This commit did not break it, it adds the cross-library check that discovered the break. The token above declares it so the new check tracks it as a known break instead of failing red, until wolfSSH ships a fixed release.