tools: add non-default OpenSSL versions to the test-shared workflow #5725
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action uses the following secrets: | |
| # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only. | |
| name: Test Shared libraries | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FLAKY_TESTS: keep_retrying | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-tarball: | |
| if: github.event.pull_request.draft == false | |
| name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} | |
| runs-on: ubuntu-slim | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| - name: Make tarball | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| run: | | |
| export DATESTRING=$(date "+%Y-%m-%d") | |
| export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") | |
| ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 | |
| env: | |
| DISTTYPE: nightly | |
| - name: Upload tarball artifact | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: tarballs | |
| path: '*.tar.gz' | |
| compression-level: 0 | |
| build: | |
| needs: build-tarball | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| - runner: ubuntu-24.04-arm | |
| system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: with shared libraries' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| - uses: ./.github/actions/build-shared | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| system: ${{ matrix.system }} | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Builds the matrix for the `build-openssl` job. The logic lives in | |
| # tools/nix/collect-openssl-matrix.sh. | |
| # Output shape: | |
| # [{ "version": "3.6", "attr": "openssl_3_6", "continue-on-error": false }, ...] | |
| collect-openssl-versions: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-slim | |
| outputs: | |
| matrix: ${{ steps.query.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: tools/nix | |
| sparse-checkout-cone-mode: false | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - id: query | |
| env: | |
| # Latest OpenSSL release we support running tests with. Anything | |
| # newer runs with continue-on-error in `build-openssl`. | |
| SUPPORTED_OPENSSL_VERSION: '4.0' | |
| run: | | |
| matrix=$(./tools/nix/collect-openssl-matrix.sh) | |
| echo "matrix=$matrix" >> "$GITHUB_OUTPUT" | |
| # Builds and tests Node.js with shared libraries against every supported | |
| # OpenSSL release version available in the repo-pinned nixpkgs. The default | |
| # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix | |
| # entry, while all other shared libs remain at their defaults. Only runs on | |
| # a single runner/system (x86_64-linux) to keep the matrix to a minimum. | |
| build-openssl: | |
| needs: | |
| - build-tarball | |
| - collect-openssl-versions | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }} | |
| name: 'x86_64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})' | |
| runs-on: ubuntu-24.04 | |
| continue-on-error: ${{ matrix.openssl['continue-on-error'] }} | |
| env: | |
| OPENSSL_ATTR: ${{ matrix.openssl.attr }} | |
| # Some EOL-with-extended-support cycles (e.g. 1.1.1) are marked | |
| # insecure by nixpkgs' meta check and refuse to evaluate without this. | |
| NIXPKGS_ALLOW_INSECURE: '1' | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| - uses: ./.github/actions/build-shared | |
| with: | |
| system: x86_64-linux | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Override just the `openssl` attr of the default shared-lib set with | |
| # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All | |
| # other shared libs (brotli, cares, libuv, …) keep their defaults. | |
| extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix {}).$OPENSSL_ATTR; }" |