Skip to content

addition of v6 and PQC 23/06 #673

addition of v6 and PQC 23/06

addition of v6 and PQC 23/06 #673

name: centos-and-fedora
on:
push:
branches:
- main
- 'release/**'
paths-ignore:
- '/*.sh'
- '/.*'
- '/_*'
- 'Brewfile'
- 'docs/**'
- '**.adoc'
- '**.md'
- '**.nix'
- 'flake.lock'
- '.github/workflows/*.yml'
- '!.github/workflows/centos-and-fedora.yml'
pull_request:
paths-ignore:
- '/*.sh'
- '/.*'
- '/_*'
- 'Brewfile'
- 'docs/**'
- '**.adoc'
- '**.md'
- '**.nix'
- 'flake.lock'
concurrency:
group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}'
cancel-in-progress: true
env:
CODECOV_TOKEN: dbecf176-ea3f-4832-b743-295fd71d0fad
#
# Dependencies that are created during packaging
#
# OS botan botan repository json-c json-c repository
# ----------------------------------------------------------------------------
# CentOS 7 2.16.0 ribose json-c12 (0.12.1) ribose
# CentOS 8 2.16.0 ribose 0.13.1 el8
# CentOS 9 2.19.3 el9 0.14 el9
# Fedora 35 2.18.2 fc35 0.15 fc35
# Fedora 36 2.19.1 fc36 0.15 fc36
#
jobs:
tests:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
container: ${{ matrix.image.container }}
timeout-minutes: 70
strategy:
fail-fast: false
matrix:
env:
- { CC: gcc, CXX: g++, BUILD_MODE: normal, USE_STATIC_DEPENDENCIES: yes }
# normal --> Release build; sanitize --> Debug build so theoretically test conditions are different
# - { CC: clang, CXX: clang++, BUILD_MODE: normal, USE_STATIC_DEPENDENCIES: yes }
- { CC: clang, CXX: clang++, BUILD_MODE: sanitize, USE_STATIC_DEPENDENCIES: yes }
# Should you add a new OS/version please consider adding its default version of botan2 and json-c to this test matrix
image:
- { name: 'CentOS 7', container: 'centos:7', gpg_ver: stable, backend: Botan, botan_ver: 2.16.0, locale: en_US.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: stable, backend: Botan, botan_ver: 2.16.0, locale: C.UTF-8 }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9', gpg_ver: stable, backend: Botan, botan_ver: 2.19.3, locale: C.UTF-8 }
- { name: 'Fedora 35', container: 'fedora:35', gpg_ver: stable, backend: Botan, botan_ver: 2.18.2, locale: C.UTF-8 }
- { name: 'Fedora 36', container: 'fedora:36', gpg_ver: stable, backend: Botan, botan_ver: 2.19.1, locale: C.UTF-8 }
- { name: 'Fedora 36', container: 'fedora:36', gpg_ver: stable, backend: Botan, botan_ver: 3.0.0, locale: C.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: lts, backend: Botan, sm2: On, locale: C.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: stable, backend: Botan, sm2: Off, locale: C.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: lts, backend: OpenSSL, locale: C.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: beta, backend: Botan, sm2: On, locale: C.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: 2.3.1, backend: Botan, sm2: On, locale: C.UTF-8 }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9', gpg_ver: stable, backend: OpenSSL, idea: On, locale: C.UTF-8 }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9', gpg_ver: stable, backend: OpenSSL, idea: Off, locale: C.UTF-8 }
- { name: 'Fedora 35', container: 'fedora:35', gpg_ver: stable, backend: OpenSSL, locale: C.UTF-8 }
- { name: 'Fedora 36', container: 'fedora:36', gpg_ver: stable, backend: OpenSSL, locale: C.UTF-8 }
include:
# Coverage report for Botan backend
- image: { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: stable, backend: Botan, sm2: On, locale: C.UTF-8 }
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage , RNP_TESTS: ".*", USE_STATIC_DEPENDENCIES: yes }
# Coverage report for OpenSSL 1.1.1 backend
- image: { name: 'CentOS 8', container: 'tgagor/centos:stream8', gpg_ver: stable, backend: OpenSSL, locale: C.UTF-8 }
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage , RNP_TESTS: ".*", USE_STATIC_DEPENDENCIES: yes }
# Coverage report for OpenSSL 3.0 backend
- image: { name: 'Fedora 36', container: 'fedora:36', gpg_ver: stable, backend: OpenSSL, locale: C.UTF-8 }
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage , RNP_TESTS: ".*", USE_STATIC_DEPENDENCIES: yes }
env: ${{ matrix.env }}
name: ${{ matrix.image.name }} ${{ matrix.image.backend }} [test mode ${{ matrix.env.BUILD_MODE }}; CC ${{ matrix.env.CC }}; GnuPG ${{ matrix.image.gpg_ver }}; SM2 ${{ matrix.image.sm2 }}; IDEA ${{ matrix.image.idea }}]
steps:
- name: Install prerequisites for prerequisites
if: matrix.image.container == 'centos:7'
run: yum -y install http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm
- name: Install prerequisites
run: yum -y install git sudo
- name: Setup environment
run: |
set -o errexit -o pipefail -o noclobber -o nounset
echo LANG=${{ matrix.image.locale }} >> $GITHUB_ENV
echo LC_ALL=${{ matrix.image.locale }} >> $GITHUB_ENV
echo LC_LANG=${{ matrix.image.locale }} >> $GITHUB_ENV
echo GPG_VERSION=${{ matrix.image.gpg_ver }} >> $GITHUB_ENV
echo ENABLE_SM2=${{ matrix.image.sm2 }} >> $GITHUB_ENV
echo ENABLE_IDEA=${{ matrix.image.idea }} >> $GITHUB_ENV
backend=${{ matrix.image.backend }}
backend="$(echo "${backend:-}" | tr '[:upper:]' '[:lower:]')"
echo CRYPTO_BACKEND="$backend" >> $GITHUB_ENV
echo BOTAN_VERSION=${{ matrix.image.botan_ver }} >> $GITHUB_ENV
useradd rnpuser
echo -e "rnpuser\tALL=(ALL)\tNOPASSWD:\tALL" > /etc/sudoers.d/rnpuser
echo -e "rnpuser\tsoft\tnproc\tunlimited\n" > /etc/security/limits.d/30-rnpuser.conf
- name: Checkout
uses: actions/checkout@v3
with:
submodules: true
- name: Setup noncacheable dependencies
run: |
. ci/gha/setup-env.inc.sh
exec su rnpuser -c ci/install_noncacheable_dependencies.sh
- name: Cache
id: cache
uses: actions/cache@v3
with:
path: ${{ env.CACHE_DIR }}
key: ${{ matrix.image.container }}-${{ matrix.image.backend }}-${{ matrix.env.BUILD_MODE }}-${{ matrix.env.CC }}-${{ matrix.image.gpg_ver }}-${{ matrix.image.sm2 }}-${{ matrix.image.idea }}-${{ hashFiles('ci/**') }}-${{ hashFiles('.github/workflows/centos-and-fedora.yml') }}
- name: Adjust folder ownership
run: |
set -o errexit -o pipefail -o noclobber -o nounset
chown -R rnpuser:rnpuser $PWD
- name: Setup cacheable dependencies
if: steps.cache.outputs.cache-hit != 'true'
run: exec su rnpuser -c ci/install_cacheable_dependencies.sh
- name: Build and Test
run: exec su rnpuser -c ci/run.sh
- name: Checkout shell test framework
uses: actions/checkout@v3
with:
repository: kward/shunit2
path: ci/tests/shunit2
- name: Run additional ci tests
run: ci/tests/ci-tests.sh
package-source:
runs-on: ubuntu-latest
container: ${{ matrix.env.container }}
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
env:
- { name: 'CentOS 7', container: 'centos:7', LC_ALL: en_US.UTF-8 }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', LC_ALL: C.UTF-8 }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9', LC_ALL: C.UTF-8 }
- { name: 'Fedora 35', container: 'fedora:35', LC_ALL: C.UTF-8 }
- { name: 'Fedora 36', container: 'fedora:36', LC_ALL: C.UTF-8 }
name: Package ${{ matrix.env.name }} SRPM
env: ${{ matrix.env }}
steps:
- name: Install prerequisites for prerequisites
if: matrix.env.container == 'centos:7'
run: yum -y install http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm
- name: Install prerequisites
run: yum -y install git sudo rpm-build
- name: Checkout
uses: actions/checkout@v3
with:
submodules: true
- name: Setup noncacheable dependencies
run: |
. ci/gha/setup-env.inc.sh
ci/install_noncacheable_dependencies.sh
- name: Configure
run: cmake -B build -DBUILD_SHARED_LIBS=ON -DBUILD_TESTING=OFF
- name: Package SRPM
run: cpack -B build/SRPM -G RPM --config build/CPackSourceConfig.cmake
- name: Upload SRPM
uses: actions/upload-artifact@v3
with:
name: 'SRPM ${{ matrix.env.name }}'
path: 'build/SRPM/*.src.rpm'
retention-days: 5
- name: Stash packaging tests
uses: actions/upload-artifact@v3
with:
name: tests
path: 'ci/tests/**'
retention-days: 1
package:
runs-on: ubuntu-latest
needs: package-source
container: ${{ matrix.env.container }}
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
env:
- { name: 'CentOS 7', container: 'centos:7', LC_ALL: en_US.UTF-8 }
# CXXFLAGS environment setting resolves dual ABI issues caused by BOTAN libraries with the version of GCC installed at 'tgagor/centos:stream8'
# https://gcc.gnu.org/onlinedocs/gcc-5.2.0/libstdc++/manual/manual/using_dual_abi.html
- { name: 'CentOS 8', container: 'tgagor/centos:stream8', CXXFLAGS: -D_GLIBCXX_USE_CXX11_ABI=0, LC_ALL: C.UTF-8 }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9', LC_ALL: C.UTF-8 }
- { name: 'Fedora 35', container: 'fedora:35', LC_ALL: C.UTF-8 }
- { name: 'Fedora 36', container: 'fedora:36', LC_ALL: C.UTF-8 }
name: Package ${{ matrix.env.name }} RPM
env: ${{ matrix.env }}
steps:
- name: Install prerequisites for prerequisites
if: matrix.env.container == 'centos:7'
run: yum -y install http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm
- name: Install prerequisites
run: yum -y install git sudo tar cpio rpm-build
- name: Download SRPM
uses: actions/download-artifact@v3
with:
name: 'SRPM ${{ matrix.env.name }}'
path: ~/rpmbuild/SRPMS
- name: Extract SRPM
run: |
rpm -i -v ~/rpmbuild/SRPMS/*.src.rpm
tar xzf ~/rpmbuild/SOURCES/*.tar.gz --strip 1 -C ~/rpmbuild/SOURCES
- name: Setup noncacheable dependencies
run: |
cd ~/rpmbuild/SOURCES/
. ci/gha/setup-env.inc.sh
ci/install_noncacheable_dependencies.sh
- name: Permanently enable rh-ruby30
if: matrix.env.container == 'centos:7'
run: bash -c "echo \"$(cut -f 2- -d ' ' /opt/rh/rh-ruby30/enable)\"">> $GITHUB_ENV
- name: Build rnp
run: |
cmake ~/rpmbuild/SOURCES -B ~/rpmbuild/SOURCES/BUILD -DBUILD_SHARED_LIBS=ON -DBUILD_TESTING=OFF \
-DCMAKE_INSTALL_PREFIX=/usr
cmake --build ~/rpmbuild/SOURCES/BUILD --config Release
- name: Package rpm
run: cpack -G RPM -B ~/rpmbuild/SOURCES/RPMS --config ~/rpmbuild/SOURCES/BUILD/CPackConfig.cmake
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: 'RPM ${{ matrix.env.name}}'
path: '~/rpmbuild/SOURCES/RPMS/*.rpm'
retention-days: 5
# The main purpose of this step is to test the RPMS in a pristine environment (as for the end user).
# ci-scripts are deliberately not used, as they recreate the development environment,
# and this is something we proudly reject here
rpm-tests:
runs-on: ubuntu-latest
needs: package
container: ${{ matrix.env.container }}
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
env:
- { name: 'CentOS 7', container: 'centos:7' }
- { name: 'CentOS 8', container: 'tgagor/centos:stream8' }
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9' }
- { name: 'Fedora 35', container: 'fedora:35' }
- { name: 'Fedora 36', container: 'fedora:36' }
name: RPM test on ${{ matrix.env.name }}
steps:
- name: Install prerequisites
run: yum -y install sudo wget binutils
# CentOS 7/8 packages depend on botan.so.16 that gets installed from ribose repo
# Fedora 35/36 packages depend on botan.so.19 that comes Fedora package, that is available by default
# CentOS 9 depend on botan.so.19 and needs EPEL9 repo that needs to be installed
# ribose repo is also a source of json-c (v12 aka json-c12) for CentOS 7
- name: Install ribose-packages
if: matrix.env.container == 'centos:7' || matrix.env.container == 'tgagor/centos:stream8'
run: |
sudo rpm --import https://github.com/riboseinc/yum/raw/master/ribose-packages-next.pub
sudo wget https://github.com/riboseinc/yum/raw/master/ribose.repo -O /etc/yum.repos.d/ribose.repo
- name: Install epel-release
if: matrix.env.container == 'quay.io/centos/centos:stream9'
run: |
sudo dnf -y install 'dnf-command(config-manager)'
sudo dnf config-manager --set-enabled crb
sudo dnf -y install epel-release
- name: Install xargs
if: matrix.env.container == 'fedora:35'
run: sudo yum -y install findutils
- name: Download rnp rpms
uses: actions/download-artifact@v3
with:
name: 'RPM ${{ matrix.env.name}}'
- name: Checkout shell test framework
uses: actions/checkout@v3
with:
repository: kward/shunit2
path: ci/tests/shunit2
- name: Unstash tests
uses: actions/download-artifact@v3
with:
name: tests
path: ci/tests
- name: Run rpm tests
# RPM tests
# - no source checkout or upload [we get only test scripts from the previous step using GHA artifacts]
# - no environment set up with rnp scripts
# - no dependencies setup, we test that yum can install whatever is required
run: |
chmod +x ci/tests/rpm-tests.sh
ci/tests/rpm-tests.sh
- name: Run symbol visibility tests
run: |
chmod +x ci/tests/ci-tests.sh
sudo yum -y localinstall librnp0-0*.*.rpm librnp0-devel-0*.*.rpm rnp0-0*.*.rpm
ci/tests/ci-tests.sh
sudo yum -y erase $(rpm -qa | grep rnp)
- name: Setup minimalistic build environment
run: |
sudo yum -y install make gcc gcc-c++ zlib-devel bzip2-devel botan2-devel
mkdir cmake
wget https://github.com/Kitware/CMake/releases/download/v3.12.0/cmake-3.12.0-Linux-x86_64.sh -O cmake/cmake.sh
sudo sh cmake/cmake.sh --skip-license --prefix=/usr/local
# Ribose repo provides json-c12-devel for CentOS7;
# el8, el9, fr35, fr36 provide json-c-devel (version 12+)
- name: Setup json-c12
if: matrix.env.container == 'centos:7'
run: sudo yum -y install json-c12-devel
- name: Setup json-c
if: matrix.env.container != 'centos:7'
run: sudo yum -y install json-c-devel
- name: Run packaging tests
run: |
chmod +x ci/tests/pk-tests.sh
ci/tests/pk-tests.sh