Add Ed25519 signatures to Conscrypt. #3058
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous integration | |
on: | |
push: | |
pull_request: | |
schedule: | |
# Run every day at midnight UTC | |
- cron: '0 0 * * *' | |
jobs: | |
boringssl_clone: | |
# This step ensures that all builders have the same version of BoringSSL | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone BoringSSL repo | |
run: | | |
git clone --depth 1 --filter=blob:none --no-checkout https://github.com/google/boringssl.git "${{ runner.temp }}/boringssl" | |
echo Using BoringSSL commit: $(cd "${{ runner.temp }}/boringssl"; git rev-parse HEAD) | |
- name: Archive BoringSSL source | |
uses: actions/upload-artifact@v4 | |
with: | |
name: boringssl-source | |
path: ${{ runner.temp }}/boringssl | |
retention-days: 1 | |
include-hidden-files: true | |
if-no-files-found: error | |
clang_format_check: | |
# Only run on pull requests. | |
if: ${{ startsWith(github.ref, 'refs/pull/') }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Get git-clang-format | |
# Uses the most recent clang-format on Ubuntu. | |
run: | | |
sudo apt-get -qq update | |
sudo apt-get -qq install -y --no-install-recommends clang-format | |
- name: Run git-clang-format against source branch | |
run: | | |
git clang-format --style=file --diff origin/$GITHUB_BASE_REF '*.c' '*.h' '*.cc' '*.cpp' '*.java' | |
build: | |
needs: boringssl_clone | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [ubuntu-latest, macos-latest, windows-latest] | |
include: | |
- platform: ubuntu-latest | |
tools_url: https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip | |
- platform: macos-latest | |
tools_url: https://dl.google.com/android/repository/commandlinetools-mac-9477386_latest.zip | |
- platform: windows-latest | |
tools_url: https://dl.google.com/android/repository/commandlinetools-win-9477386_latest.zip | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Set up JDK 11 for toolchains | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'zulu' | |
java-version: 11 | |
- name: Set runner-specific environment variables | |
shell: bash | |
run: | | |
echo "ANDROID_HOME=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV | |
echo "ANDROID_SDK_ROOT=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV | |
echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV | |
echo "SDKMANAGER=${{ runner.temp }}/android-sdk/cmdline-tools/bin/sdkmanager" >> $GITHUB_ENV | |
echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV | |
- uses: actions/checkout@v4 | |
- name: Setup Linux environment | |
if: runner.os == 'Linux' | |
run: | | |
echo "CC=clang" >> $GITHUB_ENV | |
echo "CXX=clang++" >> $GITHUB_ENV | |
sudo dpkg --add-architecture i386 | |
sudo add-apt-repository ppa:openjdk-r/ppa | |
sudo apt-get -qq update | |
sudo apt-get -qq install -y --no-install-recommends \ | |
gcc-multilib \ | |
g++-multilib \ | |
ninja-build \ | |
openjdk-11-jre-headless | |
- name: Setup macOS environment | |
if: runner.os == 'macOS' | |
run: | | |
brew update || echo update failed | |
brew install ninja || echo update failed | |
- name: Setup Windows environment | |
if: runner.os == 'Windows' | |
run: | | |
choco install nasm -y | |
choco install ninja -y | |
- name: Fetch BoringSSL source | |
uses: actions/download-artifact@v4 | |
with: | |
name: boringssl-source | |
path: ${{ runner.temp }}/boringssl | |
- name: Checkout BoringSSL master branch | |
shell: bash | |
run: | | |
cd "$BORINGSSL_HOME" | |
git checkout --progress --force -B master | |
- name: Build BoringSSL x86 and ARM MacOS | |
if: runner.os == 'macOS' | |
env: | |
# For compatibility, but 10.15 target requires 16-byte stack alignment. | |
MACOSX_DEPLOYMENT_TARGET: 10.13 | |
run: | | |
mkdir -p "$BORINGSSL_HOME/build.x86" | |
pushd "$BORINGSSL_HOME/build.x86" | |
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=x86_64 -GNinja .. | |
ninja | |
popd | |
mkdir -p "$BORINGSSL_HOME/build.arm" | |
pushd "$BORINGSSL_HOME/build.arm" | |
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=arm64 -GNinja .. | |
ninja | |
popd | |
- name: Build BoringSSL 64-bit Linux | |
if: runner.os == 'Linux' | |
run: | | |
mkdir -p "$BORINGSSL_HOME/build64" | |
pushd "$BORINGSSL_HOME/build64" | |
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja .. | |
ninja | |
popd | |
- name: Set up MSVC paths on Windows | |
if: runner.os == 'Windows' | |
uses: ilammy/msvc-dev-cmd@v1 | |
with: | |
arch: x64 | |
- name: Build BoringSSL 64-bit Windows | |
if: runner.os == 'Windows' | |
run: | | |
cd $Env:BORINGSSL_HOME | |
mkdir build64 | |
pushd build64 | |
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded -GNinja .. | |
ninja | |
popd | |
- name: Setup Android environment | |
shell: bash | |
if: runner.os == 'Linux' | |
run: | | |
cd "${{ runner.temp }}" | |
curl -L "${{ matrix.tools_url }}" -o android-tools.zip | |
mkdir -p "$ANDROID_HOME" | |
unzip -q android-tools.zip -d "$ANDROID_HOME" | |
yes | "$SDKMANAGER" --sdk_root="$ANDROID_HOME" --licenses || true | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" tools | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" platform-tools | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'build-tools;30.0.3' | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'platforms;android-26' | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'extras;android;m2repository' | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'ndk;25.2.9519653' | |
"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'cmake;3.22.1' | |
- name: Build with Gradle | |
shell: bash | |
run: ./gradlew assemble -PcheckErrorQueue | |
- name: Test with Gradle | |
shell: bash | |
timeout-minutes: 15 | |
run: ./gradlew check -PcheckErrorQueue | |
- name: Publish to local Maven repo | |
shell: bash | |
run: ./gradlew publishToMavenLocal -Dmaven.repo.local="$M2_REPO" | |
- name: Upload Maven respository | |
uses: actions/upload-artifact@v4 | |
with: | |
name: m2repo-${{ runner.os }} | |
path: ${{ runner.temp }}/m2 | |
- name: Build test JAR with dependencies | |
if: runner.os == 'Linux' | |
shell: bash | |
run: ./gradlew :conscrypt-openjdk:testJar -PcheckErrorQueue | |
- name: Upload test JAR with dependencies | |
if: runner.os == 'Linux' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: testjar | |
path: openjdk/build/libs/conscrypt-openjdk-*-tests.jar | |
if-no-files-found: error | |
uberjar: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Linux environment | |
run: | | |
echo "CC=clang" >> $GITHUB_ENV | |
echo "CXX=clang++" >> $GITHUB_ENV | |
sudo dpkg --add-architecture i386 | |
sudo add-apt-repository ppa:openjdk-r/ppa | |
sudo apt-get -qq update | |
sudo apt-get -qq install -y --no-install-recommends \ | |
gcc-multilib \ | |
g++-multilib \ | |
ninja-build \ | |
openjdk-11-jre-headless | |
- name: Set runner-specific environment variables | |
shell: bash | |
run: | | |
echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV | |
echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV | |
- name: Fetch BoringSSL source | |
uses: actions/download-artifact@v4 | |
with: | |
name: boringssl-source | |
path: ${{ runner.temp }}/boringssl | |
- name: Checkout BoringSSL master branch | |
shell: bash | |
run: | | |
cd "$BORINGSSL_HOME" | |
git checkout --progress --force -B master | |
- name: Build BoringSSL 64-bit Linux | |
run: | | |
mkdir -p "$BORINGSSL_HOME/build64" | |
pushd "$BORINGSSL_HOME/build64" | |
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja .. | |
ninja | |
popd | |
# TODO(prb) remove build dependency above and go back to this. | |
# - name: Make fake BoringSSL directories | |
# shell: bash | |
# run: | | |
# # TODO: remove this when the check is only performed when building. | |
# # BoringSSL is not needed during the UberJAR build, but the | |
# # assertion to check happens regardless of whether the project | |
# # needs it. | |
# mkdir -p "${{ runner.temp }}/boringssl/build64" | |
# mkdir -p "${{ runner.temp }}/boringssl/include" | |
- name: Download Maven repository for Linux | |
uses: actions/download-artifact@v4 | |
with: | |
name: m2repo-Linux | |
path: ${{ runner.temp }}/m2 | |
- name: Download Maven repository for MacOS | |
uses: actions/download-artifact@v4 | |
with: | |
name: m2repo-macOS | |
path: ${{ runner.temp }}/m2 | |
- name: Download Maven repository for Windows | |
uses: actions/download-artifact@v4 | |
with: | |
name: m2repo-Windows | |
path: ${{ runner.temp }}/m2 | |
- name: Build UberJAR with Gradle | |
shell: bash | |
run: | | |
./gradlew :conscrypt-openjdk-uber:build -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO" | |
- name: Publish UberJAR to Maven Local | |
shell: bash | |
run: | | |
./gradlew :conscrypt-openjdk-uber:publishToMavenLocal -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO" | |
- name: Upload Maven respository | |
uses: actions/upload-artifact@v4 | |
with: | |
name: m2repo-uber | |
path: ${{ runner.temp }}/m2 | |
openjdk-test: | |
needs: uberjar | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [ubuntu-latest, macos-13, macos-latest, windows-latest] | |
java: [8, 11, 17, 21] | |
dist: ['temurin', 'zulu'] | |
include: | |
- platform: ubuntu-latest | |
separator: ':' | |
- platform: macos-latest | |
separator: ':' | |
- platform: macos-13 | |
separator: ':' | |
- platform: windows-latest | |
separator: ';' | |
exclude: # Not available on Github runners | |
- platform: macos-latest | |
java: 8 | |
dist: 'temurin' | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Set up Java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: ${{ matrix.dist }} | |
java-version: ${{ matrix.java }} | |
- name: Download UberJAR | |
uses: actions/download-artifact@v4 | |
with: | |
name: m2repo-uber | |
path: m2 | |
- name: Download Test JAR with Dependencies | |
uses: actions/download-artifact@v4 | |
with: | |
name: testjar | |
path: testjar | |
- name: Download JUnit runner | |
shell: bash | |
run: mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:copy -Dartifact=org.junit.platform:junit-platform-console-standalone:1.11.2 -DoutputDirectory=. -Dmdep.stripVersion=true | |
- name: Run JUnit tests | |
timeout-minutes: 15 | |
shell: bash | |
run: | | |
DIR="$(find m2/org/conscrypt/conscrypt-openjdk-uber -maxdepth 1 -mindepth 1 -type d -print)" | |
VERSION="${DIR##*/}" | |
TESTJAR="$(find testjar -name '*-tests.jar')" | |
# SIGTERM handler, e.g. for when tests hang and time out. | |
# Send SIGQUIT to test process to get thread dump, give it | |
# a few seconds to complete and then kill it. | |
dump_threads() { | |
echo "Generating stack dump." | |
ps -fp "$TESTPID" | |
kill -QUIT "$TESTPID" | |
sleep 3 | |
kill -KILL "$TESTPID" | |
exit 1 | |
} | |
java -jar junit-platform-console-standalone.jar execute -cp "$DIR/conscrypt-openjdk-uber-$VERSION.jar${{ matrix.separator }}$TESTJAR" -n='org.conscrypt.ConscryptOpenJdkSuite' --scan-classpath --reports-dir=results --fail-if-no-tests & | |
case $(uname -s) in | |
Darwin|Linux) | |
trap dump_threads SIGTERM SIGINT | |
;; | |
*) | |
# TODO: Probably won't work on Windows but thread dumps | |
# work there already. | |
;; | |
esac | |
TESTPID=$! | |
wait "$TESTPID" | |
- name: Archive test results | |
if: ${{ always() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: test-results-${{ matrix.platform }}-${{ matrix.java }}-${{ matrix.dist }} | |
path: results |