.github/workflows/os-check.yml: address review nits on the split refactor

claude · claude · commit 8e4dcb16c4fa · 2026-04-27T08:57:34.000Z
- Drop the section dividers in make_check_linux's config list. The two
  groups they marked were "old make_check configs" vs "old
  make_check_linux configs" -- an artifact of the merge, not a real
  semantic distinction (e.g. SHE / harden-tls / sniffer entries have no
  Darwin paths to be "covered by make_check_macos" at all). Replaced
  with a single "Add new configs here" comment.

- Drop the parens from job display names: "make check (Linux)" /
  "make check (macOS)" rendered as "make check (Linux) (&lt;config&gt;)" in
  the GitHub UI under a 1-D matrix. Now "make check linux" /
  "make check macos".

- Tighten the --disable-sys-ca-certs comment in make_check_macos. The
  meaningful signal is the configure-time auto-enable override and the
  Security.framework code path being compiled out cleanly; the runtime
  test on the resulting binary doesn't differ much from Linux.

- Drop the dead-weight single-element os: [ ubuntu-24.04 ] matrix axis
  on make_user_settings_testwolfcrypt, matching the same cleanup
  already done on make_user_settings and make_user_all.
diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
@@ -21,10 +21,7 @@ jobs:
       fail-fast: false
       matrix:
         config: [
-          # Add new configs here.
-          # --- Configs whose macOS-relevant paths are covered by
-          #     make_check_macos (sys-ca-certs, --enable-all, DTLS-CID,
-          #     cryptocb dispatch). ---
+          # Add new configs here
           '',
           '--enable-all --enable-asn=template',
           '--enable-all --enable-asn=original',
@@ -91,9 +88,6 @@ jobs:
           '--enable-ocsp --enable-ocsp-responder --enable-ocspstapling CPPFLAGS="-DWOLFSSL_NONBLOCK_OCSP" --enable-maxfragment',
           '--enable-all CPPFLAGS=-DWOLFSSL_HASH_KEEP',
           '--enable-all --enable-writedup',
-          # --- Configs that exercise no Darwin-specific code at all
-          #     (pure crypto algorithms, preprocessor guards, features
-          #     with no platform-specific code paths). ---
           '--enable-ascon --enable-experimental',
           '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
           # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)
@@ -115,7 +109,7 @@ jobs:
           '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
         ]
-    name: make check (Linux)
+    name: make check linux
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
@@ -144,8 +138,9 @@ jobs:
           # sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable
           # cryptocb or SHE, so those have their own entries below.
           '--enable-all --enable-asn=template',
-          # Negative test: ensure the explicit-disable path still builds and
-          # runs cleanly on the only OS that auto-enables sys-ca-certs.
+          # Validates the configure-time auto-enable override and that the
+          # build compiles out the Security.framework code path cleanly --
+          # macOS is the only OS where sys-ca-certs is auto-on by default.
           '--disable-sys-ca-certs',
           # DTLS over BSD sockets on Darwin: connection-ID, fragmented
           # ClientHello, secure renegotiation, PSK, AES-CCM, null cipher --
@@ -158,7 +153,7 @@ jobs:
           # compiles and runs on the macOS toolchain.
           '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey',
         ]
-    name: make check (macOS)
+    name: make check macos
     if: github.repository_owner == 'wolfssl'
     runs-on: macos-latest
     # This should be a safe limit for the tests to run.
@@ -198,12 +193,11 @@ jobs:
           user-settings: ${{ matrix.user-settings }}
 
   make_user_settings_testwolfcrypt:
+    # testwolfcrypt runs pure crypto tests with no platform-specific
+    # features, so Linux-only is sufficient for these user_settings.
     strategy:
       fail-fast: false
       matrix:
-        # testwolfcrypt runs pure crypto tests with no platform-specific
-        # features, so Linux-only is sufficient for these user_settings.
-        os: [ ubuntu-24.04 ]
         user-settings: [
           # Add new user_settings.h here (alphabetical order)
           'examples/configs/user_settings_ca.h',
@@ -227,7 +221,7 @@ jobs:
         ]
     name: make user_setting.h (testwolfcrypt only)
     if: github.repository_owner == 'wolfssl'
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 14
     steps:
