ci: add GitHub Actions test pipeline#5
Closed
Frauschi wants to merge 1 commit into
Closed
Conversation
Add the wolfCert CI pipeline and supporting scripts, plus the adjacent build-system and code fixes surfaced while building it out. Workflows (.github/workflows): - pr.yml: the merge gate. Canonical config on CMake (-Werror), autoconf and ASan/UBSan, plus per-PR feature/config gating -- EST-only, SCEP-only, server-off, the key-alg variants (NO_RSA, ECC-only, RSA-only, no-3DES), TLS 1.3-only, ML-DSA per-level, static-mem, no-malloc, the header-only user_settings build, a macOS build, and the cheap configure-must-fail assertions. - nightly.yml: re-runs the wolfSSL-variant matrix against fresh master, seeds the wolfSSL prefix caches for PR restores, and runs the macOS extras and the full negative-config set. - lint.yml: GPL header check and CMake<->autoconf source/test-list parity. - sanitizers.yml, interop.yml: ASan/UBSan/TSan/valgrind and third-party EST/SCEP interop (best-effort, neutral-skip on dependency failure). Scripts and actions (scripts/ci, .github/actions): - build-wolfssl.sh: single source of truth mapping a config name to wolfSSL ./configure flags; the composite build-wolfssl action caches the install prefix keyed on the wolfSSL commit + flag hash. interop restores only. - assert-configure-fails.sh, check-buildsystem-parity.sh (guards both the library- and test-source lists), sigpipe-launcher.sh. Build-system parity: - Register the EST integration tests Makefile.am was missing so `make check` and ctest run the same set. CSR-attribute enforcement (src/est/est_server.c): - Collapse csr_attrs_enforce's out-parameters into a single value-result size_t* (capacity in, length out), reset it to 0 on every non-missing path, and gate the caller on it so no error path can leak an unpopulated stack buffer into the HTTP 400 body. Add an end-to-end test asserting the 400 body names the missing OID. docs/CI.md documents the pipeline and how to reproduce a job locally.
Contributor
Author
|
Closing in favor of #6 to make sure the new CI tests run in the PR ahead of merging |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ci: add GitHub Actions test pipeline
Summary
Adds a full GitHub Actions CI pipeline for wolfCert, plus the supporting scripts and a couple of adjacent fixes surfaced while building it out. CI builds (or restores from cache) a named wolfSSL configuration, builds wolfCert to match, and runs the tests. The design splits work into a fast per-PR merge gate and a nightly job set that owns the heavier matrix, cache seeding, sanitizers, and interop.
Workflows
pr.yml-Werror), autoconf, and ASan/UBSan, plus per-PR feature/config gating — EST-only, SCEP-only, server-off, key-alg variants (NO_RSA, ECC-only, RSA-only, no-3DES), TLS 1.3-only, ML-DSA per-level, static-mem, no-malloc, the header-onlyuser_settings.hbuild, a macOS build, and the two cheapest configure-must-fail assertions.lint.ymlnightly.ymlmaster, seeds the wolfSSL prefix caches so next-day PRs restore instead of build, and runs the macOS extras + full negative-config set.sanitizers.ymlinterop.ymlKey design decisions
#ifdef/feature-flag breakage is caught before merge, not after. Nightly keeps the same variant matrix to (a) seed the caches and (b) retest against a fresh wolfSSLmaster, and owns the slow work (sanitizers, interop, macOS extras, full negative-config set).scripts/ci/build-wolfssl.shis the single source of truth mapping a config name → wolfSSL./configureflags. Thebuild-wolfsslcomposite action caches the install prefix, keyed on the resolved wolfSSL commit + a hash of the exact flags. Nightly owns the shared caches (save: true); PR and interop jobs are restore-only (save: false) so concurrent scheduled jobs never race to save the same key. Footprint is ~5–8 MB/entry, ~0.1 GB steady-state (worst case ~0.6 GB), well under GitHub's self-evicting 10 GB-per-repo cache.sigpipe-launcher.sh(CMake, viaCMAKE_CROSSCOMPILING_EMULATOR) and atrap '' PIPEshell (autoconf) — neither touches library or test source.macos-*stays bash-3.2-clean (nomapfile, guarded empty-array expansion).Build-system parity (
make check==ctest)Makefile.amwas missing, so the autoconfmake checkand CMakectestnow run the identical test set.check-buildsystem-parity.shto machine-enforce test-source parity in addition to library sources — a test added to one build system but not the other now failslint.ymlin seconds.Code change (not CI): CSR-attribute enforcement
src/est/est_server.c— refactor + hardening of theest_require_csr_attributesenforcement path:csr_attrs_enforce'serr_oid_cap/err_oid_lenout-parameters into a single value-resultsize_t*(capacity in, length out), matching wolfCrypt'sword32* outLenconvention.0on every non-missing path and the caller gates on it, so no current or future error path can render an unpopulated stack buffer into the client-visible HTTP 400 body.1.2.840.113549.1.9.7), covering the OID copy that the client-path test can't observe.Testing
Reproduce a CI job locally:
fullconfig.Notes
master, unpinned (per project decision).docs/CI.mddocuments the pipeline, the config names, and how to reproduce and debug a job locally.