crypto: support OpenSSL STORE private keys #8100
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action uses the following secrets: | |
| # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org βΒ without it, the cache is read-only. | |
| name: Test Shared libraries | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FLAKY_TESTS: keep_retrying | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-tarball: | |
| if: github.event.pull_request.draft == false | |
| name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} | |
| runs-on: ubuntu-slim | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Make tarball | |
| run: | | |
| export DATESTRING=$(date "+%Y-%m-%d") | |
| export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") | |
| ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 | |
| env: | |
| DISTTYPE: nightly | |
| - name: Upload tarball artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: tarballs | |
| path: '*.tar.gz' | |
| compression-level: 0 | |
| build: | |
| needs: build-tarball | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| # built separately in build-aarch64-linux-v8 | |
| # - runner: ubuntu-24.04-arm | |
| # system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: with shared libraries' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: ./.github/actions/build-shared | |
| name: Build and test Node.js | |
| with: | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| pkcs11-store-provider-test: 'true' | |
| extra-nix-flags: | | |
| --arg useSeparateDerivationForV8 true \ | |
| ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} | |
| build-aarch64-linux-v8: | |
| needs: build-tarball | |
| runs-on: ubuntu-24.04-arm | |
| name: 'aarch64-linux: Cache V8 build' | |
| outputs: | |
| local-cache: ${{ steps.upload.outcome != 'skipped' && 'true' || '' }} | |
| matrix: ${{ steps.query.outputs.matrix }} | |
| env: | |
| HAS_CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN && 'true' }} | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: tarballs | |
| path: tarballs | |
| - name: Extract tarball | |
| shell: bash | |
| run: | | |
| tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" | |
| echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" | |
| - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - name: Evaluate V8 derivation, check its cache status | |
| id: v8-drv | |
| run: | | |
| V8_DRV=$( | |
| nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs" | |
| ) | |
| V8_STORE_PATH=$(nix-store -q --outputs "$V8_DRV") | |
| echo "V8_DRV=$V8_DRV" >> "$GITHUB_OUTPUT" | |
| set -x | |
| [ "$(curl -ISsw "%{http_code}" -o /dev/null "https://nodejs.cachix.org/$(basename ${V8_STORE_PATH%-v8-*}).narinfo")" != "200" ] || | |
| echo "ALREADY_CACHED=true" >> "$GITHUB_OUTPUT" | |
| - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17 | |
| if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' }} | |
| with: | |
| name: nodejs | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| - name: Build V8 to cache it | |
| if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' }} | |
| run: nix-store --export "$(nix-build "$V8_DRV")" > libv8-aarch64-linux.nar | |
| env: | |
| V8_DRV: ${{ steps.v8-drv.outputs.V8_DRV }} | |
| - name: Upload libv8-aarch64-linux.nar | |
| if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' && env.HAS_CACHIX_AUTH_TOKEN != 'true' }} | |
| id: upload | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: libv8-aarch64-linux.nar | |
| path: libv8-aarch64-linux.nar | |
| - name: Collect matrix of support OpenSSL versions | |
| id: query | |
| run: | | |
| echo "matrix=$( | |
| nix-instantiate --eval --strict --json -E " | |
| let | |
| pkgs = import $TAR_DIR/tools/nix/pkgs.nix { | |
| config.permittedInsecurePackages = [ \"openssl-1.1.1w\" ]; | |
| }; | |
| matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix { | |
| inherit pkgs; | |
| }; | |
| in | |
| builtins.map (attr: | |
| let | |
| openssl = builtins.getAttr attr matrix; | |
| in | |
| { | |
| inherit attr; | |
| inherit (openssl) name; | |
| # The real pkcs11 STORE test needs pkcs11-provider and | |
| # SoftHSM built against the same OpenSSL as Node. The pinned | |
| # SoftHSM package currently builds against OpenSSL 3.x but | |
| # not OpenSSL 4.x, so keep this to the known-working range and | |
| # revisit when https://github.com/softhsm/SoftHSMv2/issues/868 | |
| # is fixed and the pinned nixpkgs provider stack supports 4.x. | |
| pkcs11StoreProviderTest = | |
| openssl.pname == \"openssl\" && | |
| pkgs.lib.versionAtLeast openssl.version \"3\" && | |
| pkgs.lib.versionOlder openssl.version \"4\"; | |
| }) (builtins.attrNames matrix) | |
| " | |
| )" >> "$GITHUB_OUTPUT" | |
| # Builds and tests Node.js with shared libraries against every supported | |
| # OpenSSL release version available in the repo-pinned nixpkgs. The default | |
| # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix | |
| # entry, while all other shared libs remain at their defaults. Only runs on | |
| # a single runner/system (aarch64-linux) to keep the matrix to a minimum. | |
| build-openssl: | |
| needs: build-aarch64-linux-v8 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }} | |
| name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}' | |
| runs-on: ubuntu-24.04-arm | |
| continue-on-error: false | |
| env: | |
| OPENSSL_ATTR: ${{ matrix.openssl.attr }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| if: ${{ needs.build-aarch64-linux-v8.outputs.local-cache }} | |
| with: | |
| name: libv8-aarch64-linux.nar | |
| - uses: ./.github/actions/build-shared | |
| name: Build and test Node.js | |
| with: | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| pkcs11-store-provider-test: ${{ matrix.openssl.pkcs11StoreProviderTest }} | |
| # Override just the `openssl` attr of the default shared-lib set with | |
| # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All | |
| # other shared libs (brotli, cares, libuv, β¦) keep their defaults. | |
| # `permittedInsecurePackages` whitelists just the matrix-selected | |
| # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support | |
| # cycles evaluate without relaxing nixpkgs' meta check globally. | |
| extra-nix-flags: | | |
| --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \ | |
| --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { | |
| openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR; | |
| }" \ |