Standardize on cargo-c for building rustls-ffi, CMake for building test programs #1723
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: rustls-ffi | |
permissions: | |
contents: read | |
on: | |
push: | |
pull_request: | |
merge_group: | |
schedule: | |
- cron: '15 12 * * 3' | |
jobs: | |
build: | |
name: "Build+Test (${{ matrix.os }}, ${{ matrix.cc }}, ${{ matrix.rust }}, ${{ matrix.crypto }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})" | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
# test a bunch of toolchain and crypto providers on ubuntu | |
cc: [ clang, gcc ] | |
crypto: [ aws-lc-rs, ring ] | |
rust: | |
- stable | |
- beta | |
- nightly | |
# MSRV - keep in sync with what rustls and rustls-platform-verifier | |
# consider MSRV | |
- "1.71" | |
os: [ ubuntu-latest ] | |
# Include a few MacOS and cert-compression builds to ensure they're tested without | |
# bloating the matrix or slowing down CI. | |
include: | |
# Linux dyn link build | |
- os: ubuntu-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
dyn_link: on | |
# Linux cert compression build | |
- os: ubuntu-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: on | |
# MacOS standard build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: off | |
# MacOS dyn link build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
dyn_link: on | |
# MacOS cert compression build | |
- os: macos-latest | |
cc: clang | |
crypto: aws-lc-rs | |
rust: stable | |
cert_compression: on | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install ${{ matrix.rust }} toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Install cargo-c (Ubuntu) | |
if: matrix.os == 'ubuntu-latest' | |
env: | |
# Version picked for MSRV compat. | |
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0 | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Install cargo-c (macOS) | |
if: matrix.os == 'macos-latest' | |
env: | |
# Version picked for MSRV compat. | |
LINK: https://github.com/lu-zero/cargo-c/releases/download/v0.10.0 | |
CARGO_C_FILE: cargo-c-macos.zip | |
run: | | |
curl -L $LINK/$CARGO_C_FILE -o cargo-c-macos.zip | |
unzip cargo-c-macos.zip -d ~/.cargo/bin | |
- name: Setup cmake build | |
run: | | |
CC=${{matrix.cc}} \ | |
CXX=${{matrix.cc}} \ | |
cmake \ | |
-DCRYPTO_PROVIDER=${{matrix.crypto}} \ | |
-DCERT_COMPRESSION=${{matrix.cert_compression}} \ | |
-DDYN_LINK=${{matrix.dyn_link}} \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
${{ matrix.os == 'macos-latest' && '-DCMAKE_OSX_DEPLOYMENT_TARGET=14.5' || '' }} \ | |
-S . -B build | |
- name: Build | |
run: cmake --build build | |
- name: Platform verifier connect test | |
run: cmake --build build --target connect-test | |
- name: Integration tests | |
run: cmake --build build --target integration-test | |
- name: Verify debug builds were using ASAN | |
if: runner.os == 'Linux' # For 'nm' | |
run: | | |
nm build/tests/client | grep '__asan_init' | |
nm build/tests/server | grep '__asan_init' | |
- name: Build release binaries | |
run: | | |
cmake --build build -- clean | |
CC=${{matrix.cc}} CXX=${{matrix.cc}} cmake -S . -B build -DCRYPTO_PROVIDER=${{matrix.crypto}} -DCMAKE_BUILD_TYPE=Release | |
cmake --build build | |
- name: Verify release builds were not using ASAN | |
if: runner.os == 'Linux' # For 'nm' | |
run: | | |
! nm build/tests/client | grep '__asan_init' | |
! nm build/tests/server | grep '__asan_init' | |
valgrind: | |
name: Valgrind | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install valgrind | |
run: sudo apt-get update && sudo apt-get install -y valgrind | |
- name: Install cargo-c | |
env: | |
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Setup cmake build | |
run: cmake -S . -B build -DCMAKE_BUILD_TYPE=Release # No ASAN w/ Valgrind | |
- run: VALGRIND=valgrind cmake --build build --target integration-test | |
# TODO(@cpu): MacOS and Windows FIPS test coverage | |
fips: | |
name: FIPS | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cargo-c | |
env: | |
LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz | |
run: | | |
curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin | |
- name: Setup cmake build | |
run: | | |
cmake \ | |
-DFIPS=true \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-S . -B build | |
- name: Integration tests | |
run: cmake --build build --target integration-test | |
test-windows: | |
name: "Windows (${{ matrix.crypto }}, ${{ matrix.config }}${{ matrix.cert_compression == 'on' && ', cert compression' || '' }}${{ matrix.dyn_link == 'on' && ', dynamic linking' || '' }})" | |
runs-on: windows-latest | |
strategy: | |
matrix: | |
crypto: [ aws-lc-rs, ring ] | |
config: [ Debug, Release ] | |
cert_compression: [ off ] | |
dyn_link: [ off ] | |
include: | |
# One build with dynamic linking. | |
- crypto: aws-lc-rs | |
config: Release | |
dyn_link: on | |
# One build with cert_compression. | |
- crypto: aws-lc-rs | |
config: Release | |
cert_compression: on | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
# For Debug builds we use ASAN, which requires a modern MSVC on $PATH | |
# to provide the ASAN clang_rt.asan_*.dll runtime deps or | |
# the built client/server binary will exit immediately with | |
# exit code -1073741515 | |
- name: Setup MSVC | |
uses: TheMrMilchmann/setup-msvc-dev@v3 | |
with: | |
arch: x64 | |
# TODO(@cpu): switch back to binary cargo-c releases once a release with | |
# https://github.com/lu-zero/cargo-c/pull/428 is included. This is | |
# needed for dynamic linking support on Windows. | |
# - name: Install cargo-c | |
# | |
# env: | |
# LINK: https://github.com/lu-zero/cargo-c/releases/latest/download | |
# CARGO_C_FILE: cargo-c-windows-msvc.zip | |
# run: | | |
# curl -L "$env:LINK/$env:CARGO_C_FILE" -o cargo-c-windows-msvc.zip | |
# powershell -Command "Expand-Archive -Path cargo-c-windows-msvc.zip -DestinationPath $env:USERPROFILE\\.cargo\\bin -Force" | |
- name: Install cargo-c | |
run: | | |
mkdir /tmp | |
pushd /tmp | |
git clone https://github.com/lu-zero/cargo-c.git | |
cd cargo-c | |
git fetch origin | |
git checkout msvc-def-gen | |
cargo install --path ./ | |
popd | |
- name: Configure CMake | |
run: cmake -DCRYPTO_PROVIDER="${{ matrix.crypto }}" -DCERT_COMPRESSION="${{ matrix.cert_compression }}" -DDYN_LINK="${{ matrix.dyn_link }}" -S . -B build | |
- name: Build | |
run: cmake --build build --config "${{ matrix.config }}" | |
- name: Integration test | |
run: cmake --build build --config "${{matrix.config}}" --target integration-test | |
ensure-header-updated: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cbindgen | |
# Pin the installed version of cbindgen so that local usage can be | |
# reliably matched to CI. There can be non-semantic differences in | |
# output between point releases of cbindgen that will fail this check | |
# otherwise. | |
run: cargo install cbindgen --force --version 0.27.0 | |
- run: touch src/lib.rs | |
- run: cbindgen --version | |
- run: make src/rustls.h | |
- run: git diff --exit-code | |
docs: | |
name: Check for documentation errors | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo doc (all features) | |
run: cargo doc --all-features --no-deps --workspace | |
env: | |
RUSTDOCFLAGS: -Dwarnings | |
minver: | |
name: Check minimum versions | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo test (debug; default features; -Z minimal-versions) | |
run: cargo -Z minimal-versions test --locked | |
- name: cargo test (debug; ring; -Z minimal-versions) | |
run: cargo -Z minimal-versions test --no-default-features --features=ring --locked | |
format: | |
name: Format | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: "1.71" | |
components: rustfmt | |
- name: Install Gersemi | |
run: pip install gersemi | |
- name: Setup cmake build | |
run: cmake -S . -B build | |
- name: Check formatting | |
run: cmake --build build --target format-check | |
clippy: | |
name: Clippy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
components: clippy | |
- name: Check clippy (default features) | |
# We allow unknown lints here because sometimes the nightly job | |
# (below) will have a new lint that we want to suppress. | |
# If we suppress (e.g. #![allow(clippy::arc_with_non_send_sync)]), | |
# we would get an unknown-lint error from older clippy versions. | |
run: cargo clippy --locked --workspace --all-targets -- -D warnings -A unknown-lints | |
- name: Check clippy (ring) | |
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings -A unknown-lints | |
clippy-nightly-optional: | |
name: Clippy nightly (optional) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
with: | |
components: clippy | |
- name: Check clippy (default features) | |
run: cargo clippy --locked --workspace --all-targets -- -D warnings | |
- name: Check clippy (ring) | |
run: cargo clippy --locked --workspace --all-targets --no-default-features --features=ring -- -D warnings | |
- name: Check clippy (all features) | |
# We only test --all-features on nightly, because two of the features | |
# (read_buf, core_io_borrowed_buf) require nightly. | |
run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings | |
clang-tidy: | |
name: Clang Tidy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Clang tidy | |
run: clang-tidy tests/*.c -- -I src/ | |
miri: | |
name: Miri | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly Rust | |
uses: dtolnay/rust-toolchain@nightly | |
- run: rustup override set "nightly-$(curl -s https://rust-lang.github.io/rustup-components-history/x86_64-unknown-linux-gnu/miri)" | |
- run: rustup component add miri | |
- run: cargo miri test |