mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-05 22:56:57 +02:00
CI: github: let's add an AWS-LC-FIPS job
Add a job which does exactly the same as the aws-lc.yml job, but using the AWS-LC-FIPS build.
This commit is contained in:
William Lallemand
parent
0107bfdb1a
commit
0c1fdb2908
16
.github/matrix.py
vendored
16
.github/matrix.py
vendored
@ -67,6 +67,22 @@ def determine_latest_aws_lc(ssl):
|
|||||||
latest_tag = max(valid_tags, key=aws_lc_version_string_to_num)
|
latest_tag = max(valid_tags, key=aws_lc_version_string_to_num)
|
||||||
return "AWS_LC_VERSION={}".format(latest_tag[1:])
|
return "AWS_LC_VERSION={}".format(latest_tag[1:])
|
||||||
|
|
||||||
|
def aws_lc_fips_version_string_to_num(version_string):
|
||||||
|
return tuple(map(int, version_string[12:].split('.')))
|
||||||
|
|
||||||
|
def aws_lc_fips_version_valid(version_string):
|
||||||
|
return re.match('^AWS-LC-FIPS-[0-9]+(\.[0-9]+)*$', version_string)
|
||||||
|
|
||||||
|
@functools.lru_cache(5)
|
||||||
|
def determine_latest_aws_lc_fips(ssl):
|
||||||
|
# the AWS-LC-FIPS tags are at the end of the list, so let's get a lot
|
||||||
|
tags = get_all_github_tags("https://api.github.com/repos/aws/aws-lc/tags?per_page=200")
|
||||||
|
if not tags:
|
||||||
|
return "AWS_LC_FIPS_VERSION=failed_to_detect"
|
||||||
|
valid_tags = list(filter(aws_lc_fips_version_valid, tags))
|
||||||
|
latest_tag = max(valid_tags, key=aws_lc_fips_version_string_to_num)
|
||||||
|
return "AWS_LC_FIPS_VERSION={}".format(latest_tag[12:])
|
||||||
|
|
||||||
def wolfssl_version_string_to_num(version_string):
|
def wolfssl_version_string_to_num(version_string):
|
||||||
return tuple(map(int, version_string[1:].removesuffix('-stable').split('.')))
|
return tuple(map(int, version_string[1:].removesuffix('-stable').split('.')))
|
||||||
|
|
||||||
|
|||||||
86
.github/workflows/aws-lc-fips.yml
vendored
Normal file
86
.github/workflows/aws-lc-fips.yml
vendored
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
name: AWS-LC-FIPS
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: "0 0 * * 4"
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
test:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install VTest
|
||||||
|
run: |
|
||||||
|
scripts/build-vtest.sh
|
||||||
|
- name: Determine latest AWS-LC release
|
||||||
|
id: get_aws_lc_release
|
||||||
|
run: |
|
||||||
|
result=$(cd .github && python3 -c "from matrix import determine_latest_aws_lc_fips; print(determine_latest_aws_lc_fips(''))")
|
||||||
|
echo $result
|
||||||
|
echo "result=$result" >> $GITHUB_OUTPUT
|
||||||
|
- name: Cache AWS-LC
|
||||||
|
id: cache_aws_lc
|
||||||
|
uses: actions/cache@v4
|
||||||
|
with:
|
||||||
|
path: '~/opt/'
|
||||||
|
key: ssl-${{ steps.get_aws_lc_release.outputs.result }}-Ubuntu-latest-gcc
|
||||||
|
- name: Install apt dependencies
|
||||||
|
run: |
|
||||||
|
sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
|
||||||
|
sudo apt-get --no-install-recommends -y install socat gdb
|
||||||
|
- name: Install AWS-LC
|
||||||
|
if: ${{ steps.cache_ssl.outputs.cache-hit != 'true' }}
|
||||||
|
run: env ${{ steps.get_aws_lc_release.outputs.result }} scripts/build-ssl.sh
|
||||||
|
- name: Compile HAProxy
|
||||||
|
run: |
|
||||||
|
make -j$(nproc) ERR=1 CC=gcc TARGET=linux-glibc \
|
||||||
|
USE_OPENSSL_AWSLC=1 USE_QUIC=1 \
|
||||||
|
SSL_LIB=${HOME}/opt/lib SSL_INC=${HOME}/opt/include \
|
||||||
|
DEBUG="-DDEBUG_POOL_INTEGRITY" \
|
||||||
|
ADDLIB="-Wl,-rpath,/usr/local/lib/ -Wl,-rpath,$HOME/opt/lib/"
|
||||||
|
sudo make install
|
||||||
|
- name: Show HAProxy version
|
||||||
|
id: show-version
|
||||||
|
run: |
|
||||||
|
ldd $(which haproxy)
|
||||||
|
haproxy -vv
|
||||||
|
echo "version=$(haproxy -v |awk 'NR==1{print $3}')" >> $GITHUB_OUTPUT
|
||||||
|
- name: Install problem matcher for VTest
|
||||||
|
run: echo "::add-matcher::.github/vtest.json"
|
||||||
|
- name: Run VTest for HAProxy
|
||||||
|
id: vtest
|
||||||
|
run: |
|
||||||
|
# This is required for macOS which does not actually allow to increase
|
||||||
|
# the '-n' soft limit to the hard limit, thus failing to run.
|
||||||
|
ulimit -n 65536
|
||||||
|
# allow to catch coredumps
|
||||||
|
ulimit -c unlimited
|
||||||
|
make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel
|
||||||
|
- name: Show VTest results
|
||||||
|
if: ${{ failure() && steps.vtest.outcome == 'failure' }}
|
||||||
|
run: |
|
||||||
|
for folder in ${TMPDIR:-/tmp}/haregtests-*/vtc.*; do
|
||||||
|
printf "::group::"
|
||||||
|
cat $folder/INFO
|
||||||
|
cat $folder/LOG
|
||||||
|
echo "::endgroup::"
|
||||||
|
done
|
||||||
|
exit 1
|
||||||
|
- name: Show coredumps
|
||||||
|
if: ${{ failure() && steps.vtest.outcome == 'failure' }}
|
||||||
|
run: |
|
||||||
|
failed=false
|
||||||
|
shopt -s nullglob
|
||||||
|
for file in /tmp/core.*; do
|
||||||
|
failed=true
|
||||||
|
printf "::group::"
|
||||||
|
gdb -ex 'thread apply all bt full' ./haproxy $file
|
||||||
|
echo "::endgroup::"
|
||||||
|
done
|
||||||
|
if [ "$failed" = true ]; then
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
Loading…
Reference in New Issue
Block a user