move openssl-matrix to a nix file #323
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action uses the following secrets: | |
| # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only. | |
| name: Test Shared libraries | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FLAKY_TESTS: keep_retrying | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-tarball: | |
| if: github.event.pull_request.draft == false | |
| name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} | |
| runs-on: ubuntu-slim | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| - name: Make tarball | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| run: | | |
| export DATESTRING=$(date "+%Y-%m-%d") | |
| export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") | |
| ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 | |
| env: | |
| DISTTYPE: nightly | |
| - name: Upload tarball artifact | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: tarballs | |
| path: '*.tar.gz' | |
| compression-level: 0 | |
| build: | |
| needs: build-tarball | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| # built separately in build-aarch64-linux-v8 | |
| # - runner: ubuntu-24.04-arm | |
| # system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: with shared libraries' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: ./.github/actions/build-shared | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| extra-nix-attrs: | | |
| --arg useSeparateDerivationForV8 true \ | |
| ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} | |
| build-aarch64-linux-v8: | |
| needs: build-tarball | |
| runs-on: ubuntu-24.04-arm | |
| name: 'aarch64-linux: Cache V8 build' | |
| outputs: | |
| matrix: ${{ steps.query.outputs.matrix }} | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: tarballs | |
| path: tarballs | |
| - name: Extract tarball | |
| shell: bash | |
| run: | | |
| tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" | |
| echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | |
| with: | |
| name: nodejs | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| - name: Build V8 derivation | |
| id: build | |
| run: | | |
| echo "V8_DIR=$(nix-build "$( | |
| nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs" | |
| )")" >> "$GITHUB_OUTPUT" | |
| - name: Upload tarball artifact | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: libv8 | |
| path: ${{ steps.build.outputs.V8_DIR }} | |
| - name: Compute OpenSSL support matrix | |
| id: query | |
| run: | | |
| nix-instantiate --eval --strict --json -E " | |
| let | |
| matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix {}; | |
| in | |
| builtins.map (attr: { inherit attr; inherit (builtins.getAttr attr matrix) name; }) (builtins.attrNames matrix) | |
| " | |
| # Builds and tests Node.js with shared libraries against every supported | |
| # OpenSSL release version available in the repo-pinned nixpkgs. The default | |
| # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix | |
| # entry, while all other shared libs remain at their defaults. Only runs on | |
| # a single runner/system (aarch64-linux) to keep the matrix to a minimum. | |
| build-openssl: | |
| needs: | |
| - build-aarch64-linux-v8 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }} | |
| name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})' | |
| runs-on: ubuntu-24.04-arm | |
| continue-on-error: ${{ matrix.openssl['continue-on-error'] }} | |
| env: | |
| OPENSSL_ATTR: ${{ matrix.openssl.attr }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| name: libv8 | |
| path: ${{ runner.temp }}/libv8 | |
| - uses: ./.github/actions/build-shared | |
| with: | |
| system: aarch64-linux | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Override just the `openssl` attr of the default shared-lib set with | |
| # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All | |
| # other shared libs (brotli, cares, libuv, …) keep their defaults. | |
| # `permittedInsecurePackages` whitelists just the matrix-selected | |
| # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support | |
| # cycles evaluate without relaxing nixpkgs' meta check globally. | |
| extra-nix-args: | | |
| --arg useSeparateDerivationForV8 "$RUNNER_TEMP/libv8" \ | |
| --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { | |
| openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR; | |
| }" |