Fixes for pqc and crypto refresh #712
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: centos-and-fedora | |
on: | |
push: | |
branches: | |
- main | |
- 'release/**' | |
paths-ignore: | |
- '/*.sh' | |
- '/.*' | |
- '/_*' | |
- 'Brewfile' | |
- 'docs/**' | |
- '**.adoc' | |
- '**.md' | |
- '**.nix' | |
- 'flake.lock' | |
- '.github/workflows/*.yml' | |
- '!.github/workflows/centos-and-fedora.yml' | |
pull_request: | |
paths-ignore: | |
- '/*.sh' | |
- '/.*' | |
- '/_*' | |
- 'Brewfile' | |
- 'docs/**' | |
- '**.adoc' | |
- '**.md' | |
- '**.nix' | |
- 'flake.lock' | |
concurrency: | |
group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}' | |
cancel-in-progress: true | |
env: | |
CORES: 2 | |
RNP_LOG_CONSOLE: 1 | |
CODECOV_TOKEN: dbecf176-ea3f-4832-b743-295fd71d0fad | |
jobs: | |
tests: | |
name: ${{ matrix.image.name }} [CC ${{ matrix.env.CC }}; backend ${{ matrix.image.backend }} ${{ matrix.image.botan_ver }}; gpg ${{ matrix.image.gpg_ver }}; build ${{ matrix.env.BUILD_MODE }}; SM2 ${{ matrix.image.sm2 }}; IDEA ${{ matrix.image.idea }}] | |
runs-on: ubuntu-latest | |
timeout-minutes: 120 | |
strategy: | |
fail-fast: false | |
matrix: | |
env: | |
- { CC: gcc, CXX: g++, BUILD_MODE: normal, SHARED_LIBS: on } | |
# normal --> Release build; sanitize --> Debug build so theoretically test conditions are different | |
# - { CC: clang, CXX: clang++, BUILD_MODE: normal } | |
- { CC: clang, CXX: clang++, BUILD_MODE: sanitize, SHARED_LIBS: on } | |
# All cotainers have gpg stable and lts installed | |
# centos-8-amd64 has botan 2.18.2 installed | |
# fedora-35-amd64 has botan 3.1.1 installed | |
# Any other version has to be built explicitly ! | |
# Pls refer to https://github.com/rnpgp/rnp-ci-containers#readme for more image details | |
image: | |
- { name: 'CentOS 7', container: 'centos-7-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'stable' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'system' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64', backend: 'Botan', botan_ver: '2.18.2', sm2: On, gpg_ver: 'lts' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64', backend: 'Botan', botan_ver: '2.18.2', sm2: Off, gpg_ver: 'stable' } | |
- { name: 'CentOS 9', container: 'centos-9-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'stable' } | |
- { name: 'Fedora 35', container: 'fedora-35-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'system' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'system' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64', backend: 'Botan', botan_ver: '3.1.1', gpg_ver: 'system' } | |
# Tests against gpg head fails | |
# - { name: 'Fedora 36', container: 'fedora-36-amd64', backend: 'Botan', botan_ver: 'system', gpg_ver: 'head' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64', backend: 'Botan', botan_ver: 'head', gpg_ver: 'system' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64', backend: 'OpenSSL', gpg_ver: 'lts' } | |
- { name: 'CentOS 9', container: 'centos-9-amd64', backend: 'OpenSSL', idea: On, gpg_ver: 'stable' } | |
- { name: 'CentOS 9', container: 'centos-9-amd64', backend: 'OpenSSL', idea: Off,gpg_ver: 'stable' } | |
- { name: 'Fedora 35', container: 'fedora-35-amd64', backend: 'OpenSSL', gpg_ver: 'system' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64', backend: 'OpenSSL', gpg_ver: 'system' } | |
# There is some ABI incompatibility between llvm-7, bitan shared library from ribose repo and sanitizer | |
# So we are enforving static lib for sanitizers on CentOS 7 | |
exclude: | |
- image: { name: 'CentOS 7', container: 'centos-7-amd64', gpg_ver: stable, backend: Botan, botan_ver: 'system' } | |
env: { CC: clang, CXX: clang++, BUILD_MODE: sanitize, SHARED_LIBS: on } | |
include: | |
- image: { name: 'CentOS 7', container: 'centos-7-amd64', gpg_ver: stable, backend: Botan, botan_ver: 'system' } | |
env: { CC: clang, CXX: clang++, BUILD_MODE: sanitize, SHARED_LIBS: off } | |
# Coverage report for Botan 2.x backend | |
- image: { name: 'CentOS 8', container: 'centos-8-amd64', gpg_ver: stable, backend: Botan, botan_ver: '2.18.2' } | |
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage, SHARED_LIBS: on } | |
# Coverage report for Botan 3.x backend | |
- image: { name: 'Fedora 36', container: 'fedora-36-amd64', gpg_ver: stable, backend: Botan, botan_ver: '3.1.1' } | |
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage, SHARED_LIBS: on } | |
# Coverage report for OpenSSL 1.1.1 backend | |
- image: { name: 'CentOS 8', container: 'centos-8-amd64', gpg_ver: stable, backend: OpenSSL } | |
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage, SHARED_LIBS: on } | |
# Coverage report for OpenSSL 3.0 backend | |
- image: { name: 'CentOS 36', container: 'fedora-36-amd64', gpg_ver: stable, backend: OpenSSL } | |
env: { CC: gcc, CXX: g++, BUILD_MODE: coverage, SHARED_LIBS: on } | |
container: ghcr.io/rnpgp/ci-rnp-${{ matrix.image.container }} | |
env: ${{ matrix.env }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- name: Setup environment | |
run: | | |
set -o errexit -o pipefail -o noclobber -o nounset | |
/opt/tools/tools.sh select_crypto_backend_for_gha ${{ matrix.image.backend }} | |
/opt/tools/tools.sh select_gpg_version_for_gha ${{ matrix.image.gpg_ver }} | |
/opt/tools/tools.sh select_botan_version_for_gha ${{ matrix.image.botan_ver }} | |
echo "ENABLE_SM2=${{ matrix.image.sm2 }}" >> $GITHUB_ENV | |
echo "ENABLE_IDEA=${{ matrix.image.idea }}" >> $GITHUB_ENV | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
useradd rnpuser | |
printf "\nrnpuser\tALL=(ALL)\tNOPASSWD:\tALL" > /etc/sudoers.d/rnpuser | |
printf "\nrnpuser\tsoft\tnproc\tunlimited\n" > /etc/security/limits.d/30-rnpuser.conf | |
# Need to build HEAD version since it is always different | |
- name: Build gpg head | |
if: matrix.image.gpg_ver == 'head' | |
run: /opt/tools/tools.sh build_and_install_gpg head | |
- name: Build botan head | |
if: matrix.image.botan_ver == 'head' | |
run: /opt/tools/tools.sh build_and_install_botan head | |
- name: Configure | |
run: | | |
set -o errexit -o pipefail -o noclobber -o nounset | |
[[ "${{ env.BUILD_MODE }}" = "coverage" ]] && cov_opt=(-DENABLE_COVERAGE=yes) | |
[[ "${{ env.BUILD_MODE }}" = "sanitize" ]] && san_opt=(-DENABLE_SANITIZERS=yes) | |
[ -n "$ENABLE_SM2" ] && sm2_opt=(-DENABLE_SM2="$ENABLE_SM2") | |
[ -n "$ENABLE_IDEA" ] && idea_opt=(-DENABLE_IDEA="$ENABLE_IDEA") | |
cmake -B build \ | |
-DBUILD_SHARED_LIBS=${{ env.SHARED_LIBS }} \ | |
-DDOWNLOAD_GTEST=ON \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DCRYPTO_BACKEND=${{ matrix.image.backend }} \ | |
${sm2_opt:-} ${idea_opt:-} ${cov_opt:-} ${san_opt:-} . | |
- name: Build | |
run: cmake --build build --parallel ${{ env.CORES }} | |
- name: Test | |
run: | | |
mkdir -p "build/Testing/Temporary" | |
cp "cmake/CTestCostData.txt" "build/Testing/Temporary" | |
export PATH="$PWD/build/src/lib:$PATH" | |
chown -R rnpuser:rnpuser $PWD | |
exec su rnpuser -c "ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure" | |
- name: Coverage | |
if: env.BUILD_MODE == 'coverage' | |
run: | | |
curl https://keybase.io/codecovsecurity/pgp_keys.asc | gpg --no-default-keyring --keyring trustedkeys.gpg --import # One-time step | |
curl -Os https://uploader.codecov.io/latest/linux/codecov | |
curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM | |
curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig | |
gpgv codecov.SHA256SUM.sig codecov.SHA256SUM | |
shasum -a 256 -c codecov.SHA256SUM | |
chmod +x codecov | |
find "build" -type f -name '*.gcno' -exec gcov -p {} + | |
./codecov | |
- name: Install | |
if: env.BUILD_MODE != 'coverage' && env.SHARED_LIBS == 'on' | |
run: cmake --install build | |
- name: Checkout shell test framework | |
if: env.BUILD_MODE != 'coverage' && env.SHARED_LIBS == 'on' | |
uses: actions/checkout@v3 | |
with: | |
repository: kward/shunit2 | |
path: ci/tests/shunit2 | |
- name: Run additional ci tests | |
if: env.BUILD_MODE != 'coverage' && env.SHARED_LIBS == 'on' | |
run: RNP_INSTALL=/usr/local ci/tests/ci-tests.sh | |
package-source: | |
runs-on: ubuntu-latest | |
container: ghcr.io/rnpgp/ci-rnp-${{ matrix.image.container }} | |
timeout-minutes: 30 | |
# needs: tests | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- { name: 'CentOS 7', container: 'centos-7-amd64' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64' } | |
- { name: 'CentOS 9', container: 'centos-9-amd64' } | |
- { name: 'Fedora 35', container: 'fedora-35-amd64' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64' } | |
name: Package ${{ matrix.image.name }} SRPM | |
steps: | |
- name: Install rpm tools | |
run: yum -y install rpm-build | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- name: Configure | |
run: cmake -B build -DBUILD_SHARED_LIBS=ON -DBUILD_TESTING=OFF | |
- name: Package SRPM | |
run: cpack -B build/SRPM -G RPM --config build/CPackSourceConfig.cmake | |
- name: Upload SRPM | |
uses: actions/upload-artifact@v3 | |
with: | |
name: 'SRPM ${{ matrix.image.name }}' | |
path: 'build/SRPM/*.src.rpm' | |
retention-days: 5 | |
- name: Stash packaging tests | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tests | |
path: 'ci/tests/**' | |
retention-days: 1 | |
package: | |
runs-on: ubuntu-latest | |
container: ghcr.io/rnpgp/ci-rnp-${{ matrix.image.container }} | |
timeout-minutes: 30 | |
needs: package-source | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- { name: 'CentOS 7', container: 'centos-7-amd64' } | |
- { name: 'CentOS 8', container: 'centos-8-amd64' } | |
- { name: 'CentOS 9', container: 'centos-9-amd64' } | |
- { name: 'Fedora 35', container: 'fedora-35-amd64' } | |
- { name: 'Fedora 36', container: 'fedora-36-amd64' } | |
name: Package ${{ matrix.image.name }} RPM | |
steps: | |
- name: Install rpm tools | |
run: yum -y install rpm-build | |
- name: Download SRPM | |
uses: actions/download-artifact@v3 | |
with: | |
name: 'SRPM ${{ matrix.image.name }}' | |
path: ~/rpmbuild/SRPMS | |
- name: Extract SRPM | |
run: | | |
rpm -i -v ~/rpmbuild/SRPMS/*.src.rpm | |
tar xzf ~/rpmbuild/SOURCES/*.tar.gz --strip 1 -C ~/rpmbuild/SOURCES | |
- name: Build rnp | |
run: | | |
cmake ~/rpmbuild/SOURCES -B ~/rpmbuild/SOURCES/BUILD -DBUILD_SHARED_LIBS=ON -DBUILD_TESTING=OFF \ | |
-DCMAKE_INSTALL_PREFIX=/usr | |
cmake --build ~/rpmbuild/SOURCES/BUILD --config Release | |
- name: Package rpm | |
run: cpack -G RPM -B ~/rpmbuild/SOURCES/RPMS --config ~/rpmbuild/SOURCES/BUILD/CPackConfig.cmake | |
- name: Upload Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: 'RPM ${{ matrix.image.name}}' | |
path: '~/rpmbuild/SOURCES/RPMS/*.rpm' | |
retention-days: 5 | |
# The main purpose of this step is to test the RPMS in a pristine environment (as for the end user). | |
# ci-scripts are deliberately not used, as they recreate the development environment, | |
# and this is something we proudly reject here | |
rpm-tests: | |
runs-on: ubuntu-latest | |
needs: package | |
container: ${{ matrix.image.container }} | |
timeout-minutes: 30 | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- { name: 'CentOS 7', container: 'centos:7' } | |
- { name: 'CentOS 8', container: 'tgagor/centos:stream8' } | |
- { name: 'CentOS 9', container: 'quay.io/centos/centos:stream9' } | |
- { name: 'Fedora 35', container: 'fedora:35' } | |
- { name: 'Fedora 36', container: 'fedora:36' } | |
name: RPM test on ${{ matrix.image.name }} | |
steps: | |
- name: Install prerequisites | |
run: yum -y install sudo wget binutils | |
# CentOS 7/8 packages depend on botan.so.16 that gets installed from ribose repo | |
# Fedora 35/36 packages depend on botan.so.19 that comes Fedora package, that is available by default | |
# CentOS 9 depend on botan.so.19 and needs EPEL9 repo that needs to be installed | |
# ribose repo is also a source of json-c (v12 aka json-c12) for CentOS 7 | |
- name: Install ribose-packages | |
if: matrix.image.container == 'centos:7' || matrix.image.container == 'tgagor/centos:stream8' | |
run: | | |
sudo rpm --import https://github.com/riboseinc/yum/raw/master/ribose-packages-next.pub | |
sudo wget https://github.com/riboseinc/yum/raw/master/ribose.repo -O /etc/yum.repos.d/ribose.repo | |
- name: Install epel-release | |
if: matrix.image.container == 'quay.io/centos/centos:stream9' | |
run: | | |
sudo dnf -y install 'dnf-command(config-manager)' | |
sudo dnf config-manager --set-enabled crb | |
sudo dnf -y install epel-release | |
- name: Install xargs | |
if: matrix.image.container == 'fedora:35' | |
run: sudo yum -y install findutils | |
- name: Download rnp rpms | |
uses: actions/download-artifact@v3 | |
with: | |
name: 'RPM ${{ matrix.image.name}}' | |
- name: Checkout shell test framework | |
uses: actions/checkout@v3 | |
with: | |
repository: kward/shunit2 | |
path: ci/tests/shunit2 | |
- name: Unstash tests | |
uses: actions/download-artifact@v3 | |
with: | |
name: tests | |
path: ci/tests | |
- name: Run rpm tests | |
# RPM tests | |
# - no source checkout or upload [we get only test scripts from the previous step using GHA artifacts] | |
# - no environment set up with rnp scripts | |
# - no dependencies setup, we test that yum can install whatever is required | |
run: | | |
chmod +x ci/tests/rpm-tests.sh | |
ci/tests/rpm-tests.sh | |
- name: Run symbol visibility tests | |
run: | | |
chmod +x ci/tests/ci-tests.sh | |
sudo yum -y localinstall librnp0-0*.*.rpm librnp0-devel-0*.*.rpm rnp0-0*.*.rpm | |
ci/tests/ci-tests.sh | |
sudo yum -y erase $(rpm -qa | grep rnp) | |
- name: Setup minimalistic build environment | |
run: | | |
sudo yum -y install make gcc gcc-c++ zlib-devel bzip2-devel botan2-devel | |
mkdir cmake | |
wget https://github.com/Kitware/CMake/releases/download/v3.12.0/cmake-3.12.0-Linux-x86_64.sh -O cmake/cmake.sh | |
sudo sh cmake/cmake.sh --skip-license --prefix=/usr/local | |
# Ribose repo provides json-c12-devel for CentOS7; | |
# el8, el9, fr35, fr36 provide json-c-devel (version 12+) | |
- name: Setup json-c12 | |
if: matrix.image.container == 'centos:7' | |
run: sudo yum -y install json-c12-devel | |
- name: Setup json-c | |
if: matrix.image.container != 'centos:7' | |
run: sudo yum -y install json-c-devel | |
- name: Run packaging tests | |
run: | | |
chmod +x ci/tests/pk-tests.sh | |
ci/tests/pk-tests.sh |