wolfProvider/.github/workflows/systemd.yml at master · wolfSSL/wolfProvider · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: systemd Tests

# START OF COMMON SECTION
on:
  push:
    branches: ['master', 'main', 'release/**']
  pull_request:
    branches: ['*']

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
# END OF COMMON SECTION

jobs:
  build_wolfprovider:
    uses: ./.github/workflows/build-wolfprovider.yml
    with:
      wolfssl_ref: ${{ matrix.wolfssl_ref }}
      openssl_ref: ${{ matrix.openssl_ref }}
      fips_ref: ${{ matrix.fips_ref }}
      replace_default: ${{ matrix.replace_default }}
    strategy:
      matrix:
        wolfssl_ref: [ 'v5.8.4-stable' ]
        openssl_ref: [ 'openssl-3.5.4' ]
        fips_ref: [ 'FIPS', 'non-FIPS' ]
        replace_default: [ true ]

  test_systemd:
    runs-on: ubuntu-22.04
    needs: build_wolfprovider
    # This should be a safe limit for the tests to run.
    timeout-minutes: 20
    container:
      image: debian:bookworm
    env:
      DEBIAN_FRONTEND: noninteractive
      WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
      OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
      WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
    strategy:
      fail-fast: false
      matrix:
        systemd_ref: [ 'v254' ]
        wolfssl_ref: [ 'v5.8.4-stable' ]
        openssl_ref: [ 'openssl-3.5.4' ]
        fips_ref: [ 'FIPS', 'non-FIPS' ]
        force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
        replace_default: [ true ]
    steps:
      - name: Checkout wolfProvider
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Download packages from build job
        uses: actions/download-artifact@v4
        with:
          name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}
          path: /tmp

      - name: Install wolfSSL/OpenSSL/wolfprov packages
        run: |
          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb

          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb

          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb

          # Prevent later 'apt-get install' of test dependencies from
          # replacing the wolfprov-patched libssl3, which breaks
          # replace-default mode.
          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov

      - name: Verify wolfProvider is properly installed
        run: |
          $GITHUB_WORKSPACE/scripts/verify-install.sh \
            ${{ matrix.replace_default && '--replace-default' || '' }} \
            ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }}

      - name: Install dependencies
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt-get update
          apt-get install -y build-essential meson ninja-build \
            libmount-dev gperf python3-pytest python3-jinja2 python3-pip \
            libuv1-dev libnghttp2-dev libcap-dev uuid-dev libdevmapper-dev \
            libpopt-dev libjson-c-dev libargon2-dev libblkid-dev asciidoctor \
            pkgconf zlib1g-dev libgcrypt20-dev libgpg-error-dev libgnutls28-dev \
            libp11-kit-dev libfido2-dev libtss2-dev libdw-dev libbz2-dev \
            liblzma-dev liblz4-dev libzstd-dev libxkbcommon-dev libglib2.0-dev \
            libdbus-1-dev python3-setuptools python3-wheel git

      - name: Checkout systemd
        uses: actions/checkout@v4
        with:
          repository: systemd/systemd
          path: systemd
          fetch-depth: 1
          ref: ${{ matrix.systemd_ref }}

      - name: Build systemd
        working-directory: systemd
        run: |
          meson setup -Dnobody-group=nogroup build
          ninja -C build

      - name: Run systemd tests
        working-directory: systemd
        shell: bash
        run: |
          set +e
          # The following test cases link directly to libcrypto.
          TEST_CASES="fuzz-dns-packet fuzz-etc-hosts fuzz-resource-record \
                      resolvectl systemd-resolved test-cryptolib \
                      test-dns-packet test-dnssec test-resolve-tables \
                      test-resolved-etc-hosts test-resolved-packet \
                      test-resolved-stream"
          export ${{ matrix.force_fail }}
          meson test -C build $TEST_CASES
          TEST_RESULT=$?
          if [ $TEST_RESULT -ne 0 ]; then
            cat build/meson-logs/testlog.txt
          fi

          $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} systemd