wolfProvider/.github/workflows/bind9.yml at master · wolfSSL/wolfProvider · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Bind9 Tests


on:
  workflow_call:
    inputs:
      wolfssl_refs_json:
        description: "JSON array of wolfssl refs to test; empty = use discover_versions output"
        required: false
        type: string
        default: ""
  workflow_dispatch: {}

jobs:
  discover_versions:
    uses: ./.github/workflows/_discover-versions.yml

  build_wolfprovider:
    needs: discover_versions
    uses: ./.github/workflows/build-wolfprovider.yml
    with:
      wolfssl_ref: ${{ matrix.wolfssl_ref }}
      openssl_ref: ${{ matrix.openssl_ref }}
      fips_ref: ${{ matrix.fips_ref }}
      replace_default: ${{ matrix.replace_default }}
    strategy:
      fail-fast: false
      matrix:
        wolfssl_ref: ${{ inputs.wolfssl_refs_json != '' && fromJson(inputs.wolfssl_refs_json) || fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
        fips_ref: [ 'FIPS', 'non-FIPS' ]
        replace_default: [ true ]

  test_bind:
    runs-on: ubuntu-22.04
    needs: [build_wolfprovider, discover_versions]
    container:
      image: ghcr.io/wolfssl/wolfprovider-test-deps:bookworm
      env:
        DEBIAN_FRONTEND: noninteractive
    # This should be a safe limit for the tests to run.
    timeout-minutes: 60
    strategy:
      fail-fast: false
      matrix:
        bind_ref: [ 'v9.18.28' ]
        wolfssl_ref: ${{ inputs.wolfssl_refs_json != '' && fromJson(inputs.wolfssl_refs_json) || fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
        openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_ref_array) }}
        fips_ref: [ 'FIPS', 'non-FIPS' ]
        force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
        replace_default: [ true ]
    env:
      WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
      OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
      WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
    steps:
      - name: Checkout wolfProvider
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Download packages from build job
        uses: actions/download-artifact@v4
        with:
          name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}
          path: /tmp

      - name: Install wolfSSL/OpenSSL/wolfprov packages
        run: |
          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb

          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb

          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
            ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb

          # Prevent later 'apt-get install' of test dependencies from
          # replacing the wolfprov-patched libssl3, which breaks
          # replace-default mode.
          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov

      - name: Verify wolfProvider is properly installed
        run: |
          $GITHUB_WORKSPACE/scripts/verify-install.sh \
            ${{ matrix.replace_default && '--replace-default' || '' }} \
            ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }}

      - name: Checkout bind9
        uses: actions/checkout@v4
        with:
          repository: isc-projects/bind9
          path: bind9
          ref: ${{ matrix.bind_ref }}
          fetch-depth: 1

      - name: Checkout OSP
        uses: actions/checkout@v4
        with:
          repository: wolfssl/osp
          path: osp
          fetch-depth: 1
      - run: |
          cd bind9
          PATCH=$($GITHUB_WORKSPACE/scripts/resolve-osp-patch.sh $GITHUB_WORKSPACE/osp bind9 ${{ matrix.bind_ref }} ${{ matrix.wolfssl_ref }} ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }})
          patch -p1 < "$PATCH"

      - name: Build and test bind9 with wolfProvider
        working-directory: bind9
        shell: bash
        run: |

          set +o pipefail # ignore errors from make check
          autoreconf -ivf
          ./configure
          make clean
          make -j$(nproc)
          ./bin/tests/system/ifconfig.sh up

          export ${{ matrix.force_fail }}
          make -j$(nproc) check 2>&1 | tee bind9-test.log
          TEST_RESULT=${PIPESTATUS[0]}
          $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} bind9