-
Notifications
You must be signed in to change notification settings - Fork 33
207 lines (187 loc) · 8.34 KB
/
build-wolfprovider.yml
File metadata and controls
207 lines (187 loc) · 8.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: Build wolfProvider
on:
workflow_call:
inputs:
wolfssl_ref:
required: true
type: string
openssl_ref:
required: true
type: string
fips_ref:
required: false
type: string
replace_default:
required: false
type: boolean
jobs:
build_wolfprovider_common:
name: Build wolfProvider
runs-on: ubuntu-22.04
# Grant permissions to read packages from ghcr.io
permissions:
contents: read
packages: read
# Run inside Debian Bookworm using container from ghcr.io/wolfssl/build-wolfprovider-debian:bookworm
# We are using this container to avoid having to install all the dependencies on the host machine
# and speed up the build process.
# Note: Docker image paths must be lowercase even though the GitHub org is wolfSSL
container:
image: ghcr.io/wolfssl/build-wolfprovider-debian:bookworm
env:
DEBIAN_FRONTEND: noninteractive
# Add network capabilities so ifconfig/RTNETLINK operations are permitted
# These are passed to `docker run` as runtime options
options: --cap-add=NET_ADMIN --cap-add=NET_RAW
timeout-minutes: 20
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
DEBS_PATH: debs
PACKAGE_NAME: debian-packages-${{ inputs.fips_ref }}${{ inputs.replace_default && '-replace-default' || '' }}-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}
steps:
# Check if artifact already exists from another job in the same workflow run
# When multiple matrix jobs run in parallel, the first one to finish uploads the artifact
# Other jobs can then find it and skip rebuilding (no need to download it, just check it exists)
- name: Check for existing artifact from same run
id: check_artifact
continue-on-error: true
uses: actions/download-artifact@v4
with:
name: ${{ env.PACKAGE_NAME }}
# Download pre-built packages from debs branch
- name: Checkout debs branch
if: steps.check_artifact.outcome != 'success'
uses: actions/checkout@v4
with:
repository: wolfSSL/wolfProvider
ref: debs
sparse-checkout: |
fips
nonfips
openssl
sparse-checkout-cone-mode: false
path: ${{ env.DEBS_PATH }}
- name: Setup packages from debs branch
if: steps.check_artifact.outcome != 'success'
run: |
mkdir -p ${{ env.WOLFSSL_PACKAGES_PATH }}
mkdir -p ${{ env.OPENSSL_PACKAGES_PATH }}
echo "Available packages in debs branch:"
ls -la ${{ env.DEBS_PATH }}/
# Copy packages based on build type
if [ "${{ inputs.fips_ref }}" = "FIPS" ]; then
if [ -d "${{ env.DEBS_PATH }}/fips" ] && [ "$(ls -A ${{ env.DEBS_PATH }}/fips/*.deb 2>/dev/null)" ]; then
echo "Copying FIPS wolfSSL packages..."
cp ${{ env.DEBS_PATH }}/fips/*.deb ${{ env.WOLFSSL_PACKAGES_PATH }}/
else
echo "ERROR: No FIPS packages found in debs branch"
exit 1
fi
else
if [ -d "${{ env.DEBS_PATH }}/nonfips" ] && [ "$(ls -A ${{ env.DEBS_PATH }}/nonfips/*.deb 2>/dev/null)" ]; then
echo "Copying non-FIPS wolfSSL packages..."
cp ${{ env.DEBS_PATH }}/nonfips/*.deb ${{ env.WOLFSSL_PACKAGES_PATH }}/
else
echo "ERROR: No non-FIPS packages found in debs branch"
exit 1
fi
fi
# Copy OpenSSL packages based on replace_default setting
if [ "${{ inputs.replace_default }}" = "true" ]; then
if [ -d "${{ env.DEBS_PATH }}/openssl/debs-replace-default" ] && [ "$(ls -A ${{ env.DEBS_PATH }}/openssl/debs-replace-default/*.deb 2>/dev/null)" ]; then
echo "Copying OpenSSL replace-default packages..."
cp ${{ env.DEBS_PATH }}/openssl/debs-replace-default/*.deb ${{ env.OPENSSL_PACKAGES_PATH }}/
else
echo "WARNING: No OpenSSL replace-default packages found in debs branch"
fi
else
if [ -d "${{ env.DEBS_PATH }}/openssl/debs-default" ] && [ "$(ls -A ${{ env.DEBS_PATH }}/openssl/debs-default/*.deb 2>/dev/null)" ]; then
echo "Copying OpenSSL default packages..."
cp ${{ env.DEBS_PATH }}/openssl/debs-default/*.deb ${{ env.OPENSSL_PACKAGES_PATH }}/
else
echo "WARNING: No OpenSSL default packages found in debs branch"
fi
fi
echo ""
echo "Packages ready for installation:"
echo "wolfSSL packages:"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
echo ""
echo "OpenSSL packages:"
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
- name: Install OpenSSL and wolfSSL packages
if: steps.check_artifact.outcome != 'success'
run: |
echo "Installing OpenSSL and wolfSSL packages (${{ inputs.fips_ref }})..."
# Install OpenSSL packages first
if [ -n "$(ls -A ${{ env.OPENSSL_PACKAGES_PATH }}/*.deb 2>/dev/null)" ]; then
echo "Installing OpenSSL packages..."
dpkg -i ${{ env.OPENSSL_PACKAGES_PATH }}/*.deb || true
fi
# Install wolfSSL packages
if [ -n "$(ls -A ${{ env.WOLFSSL_PACKAGES_PATH }}/*.deb 2>/dev/null)" ]; then
echo "Installing wolfSSL packages..."
dpkg -i ${{ env.WOLFSSL_PACKAGES_PATH }}/*.deb || true
fi
# Fix any dependency issues
apt-get install -f -y
echo ""
echo "Packages installed successfully:"
echo "OpenSSL:"
dpkg -l | grep openssl || echo " No OpenSSL packages found"
echo ""
echo "wolfSSL:"
dpkg -l | grep wolfssl || echo " No wolfSSL packages found"
- name: Checkout wolfProvider
if: steps.check_artifact.outcome != 'success'
uses: actions/checkout@v4
with:
fetch-depth: 1
fetch-tags: true
# Avoid "detected dubious ownership" warning
- name: Ensure the working directory safe
if: steps.check_artifact.outcome != 'success'
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
# When running on a fork the upstream tags are not present, so fetch them explicitly
- name: Fetch tags from upstream(for Debian versioning)
if: steps.check_artifact.outcome != 'success'
run: |
git remote add upstream https://github.com/wolfSSL/wolfProvider.git || true
git fetch upstream --tags --no-recurse-submodules
- name: Install wolfProvider
if: steps.check_artifact.outcome != 'success'
run: |
$GITHUB_WORKSPACE/debian/install-wolfprov.sh ${{ inputs.fips_ref == 'FIPS' && '--fips' || '' }} ${{ env.WOLFPROV_PACKAGES_PATH }}
- name: Setup packages directory
if: steps.check_artifact.outcome != 'success'
run: |
mkdir -p ${{ env.WOLFPROV_PACKAGES_PATH }}
# Copy wolfProvider packages (built in previous step)
cp $GITHUB_WORKSPACE/../libwolfprov*.deb ${{ env.WOLFPROV_PACKAGES_PATH }}
cp $GITHUB_WORKSPACE/../libwolfprov*.dsc ${{ env.WOLFPROV_PACKAGES_PATH }}
cp $GITHUB_WORKSPACE/../libwolfprov*.tar.gz ${{ env.WOLFPROV_PACKAGES_PATH }}
# Note: OpenSSL and wolfSSL packages already copied from debs branch earlier
printf "Listing packages directory:\n"
echo "wolfProvider packages:"
ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
echo ""
echo "wolfSSL packages:"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
echo ""
echo "OpenSSL packages:"
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
# Save all packages as artifacts for consumers
# Skip upload if artifact already exists (from a parallel run)
- name: Upload wolfProvider packages
if: steps.check_artifact.outcome != 'success'
uses: actions/upload-artifact@v4
with:
name: ${{ env.PACKAGE_NAME }}
path: |
${{ env.WOLFSSL_PACKAGES_PATH }}
${{ env.OPENSSL_PACKAGES_PATH }}
${{ env.WOLFPROV_PACKAGES_PATH }}
retention-days: 1