move openssl-matrix to a nix file

aduh95 · aduh95 · commit 3ae4e0ab810c · 2026-04-26T16:25:15.000+02:00
diff --git a/.github/actions/build-shared/action.yml b/.github/actions/build-shared/action.yml
@@ -5,9 +5,6 @@ description: >
   test suite inside the pinned nix-shell.
 
 inputs:
-  system:
-    description: System label (e.g. x86_64-linux, aarch64-darwin).
-    required: true
   extra-nix-args:
     description: Additional arguments appended to the nix-shell invocation.
     required: false
@@ -21,13 +18,11 @@ runs:
   using: composite
   steps:
     - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
-      if: ${{ github.event_name != 'workflow_dispatch' }}
       with:
         name: tarballs
         path: tarballs
 
     - name: Extract tarball
-      if: ${{ github.event_name != 'workflow_dispatch' }}
       shell: bash
       run: |
         tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
@@ -61,11 +56,9 @@ runs:
           --pure --keep TAR_DIR --keep FLAKY_TESTS \
           --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
           --arg loadJSBuiltinsDynamically false \
-          --arg useSeparateDerivationForV8 true \
           --arg ccache "${NIX_SCCACHE:-null}" \
           --arg devTools '[]' \
           --arg benchmarkTools '[]' \
-          ${{ endsWith(inputs.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
           ${{ inputs.extra-nix-args }} \
           --run '
               make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml
@@ -117,12 +117,10 @@ jobs:
     runs-on: ubuntu-slim
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        if: ${{ github.event_name != 'workflow_dispatch' }}
         with:
           persist-credentials: false
 
       - name: Make tarball
-        if: ${{ github.event_name != 'workflow_dispatch' }}
         run: |
           export DATESTRING=$(date "+%Y-%m-%d")
           export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA")
@@ -131,7 +129,6 @@ jobs:
           DISTTYPE: nightly
 
       - name: Upload tarball artifact
-        if: ${{ github.event_name != 'workflow_dispatch' }}
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: tarballs
@@ -157,102 +154,93 @@ jobs:
     runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        if: ${{ github.event_name != 'workflow_dispatch' }}
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
+          sparse-checkout-cone-mode: false
       - uses: ./.github/actions/build-shared
-        if: ${{ github.event_name != 'workflow_dispatch' }}
         with:
-          system: ${{ matrix.system }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          extra-nix-attrs: |
+            --arg useSeparateDerivationForV8 true \
+            ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
 
   build-aarch64-linux-v8:
     needs: build-tarball
     runs-on: ubuntu-24.04-arm
-    name: 'aarch64-linux: Cache V8 build'
+    name: 'aarch64-linux: Build V8'
+    outputs:
+      matrix: ${{ steps.query.outputs.matrix }}
     steps:
-      - name: Check if Cachix is available
-        id: cachix-check
-        run: echo 'IS_AVAILABLE=${{ secrets.CACHIX_AUTH_TOKEN && 'true' }}' >> "$GITHUB_OUTPUT"
-
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
-        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           name: tarballs
           path: tarballs
 
       - name: Extract tarball
-        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         shell: bash
         run: |
           tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
           echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
 
       - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe  # v31.10.3
-        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           extra_nix_config: sandbox = true
 
       - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c  # v17
-        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           name: nodejs
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Build V8 derivation
-        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
+        id: build
         run: |
-          nix-build "$(
+          echo "V8_DIR=$(nix-build "$(
             nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs"
-          )"
+          )")" >> "$GITHUB_OUTPUT"
 
-  # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json.
-  # Output shape:
-  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
-  collect-openssl-versions:
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-slim
-    outputs:
-      matrix: ${{ steps.query.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
-          persist-credentials: false
-          sparse-checkout: tools/nix/openssl-matrix.json
-          sparse-checkout-cone-mode: false
-      - id: query
+          name: libv8
+          path: ${{ steps.build.outputs.V8_DIR }}
+
+      - name: Compute OpenSSL support matrix
+        id: query
         run: |
-          {
-            echo 'matrix<<EOF'
-            cat tools/nix/openssl-matrix.json
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
+          echo "matrix=$(nix-instantiate --eval --strict --json -E "
+            let
+              matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix {};
+            in
+            builtins.map (attr: { inherit attr; inherit (builtins.getAttr attr matrix) name; }) (builtins.attrNames matrix)
+          ")" >> "$GITHUB_OUTPUT"
 
   # Builds and tests Node.js with shared libraries against every supported
   # OpenSSL release version available in the repo-pinned nixpkgs. The default
   # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix
   # entry, while all other shared libs remain at their defaults. Only runs on
   # a single runner/system (aarch64-linux) to keep the matrix to a minimum.
   build-openssl:
-    needs:
-      - build-aarch64-linux-v8
-      - collect-openssl-versions
+    needs: build-aarch64-linux-v8
     strategy:
       fail-fast: false
       matrix:
-        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
+        openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }}
     name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
     runs-on: ubuntu-24.04-arm
     continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
     env:
       OPENSSL_ATTR: ${{ matrix.openssl.attr }}
-      OPENSSL_VERSION: ${{ matrix.openssl.version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
+          sparse-checkout-cone-mode: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: libv8
+          path: ${{ runner.temp }}/libv8
       - uses: ./.github/actions/build-shared
         with:
           system: aarch64-linux
@@ -263,4 +251,8 @@ jobs:
           # `permittedInsecurePackages` whitelists just the matrix-selected
           # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support
           # cycles evaluate without relaxing nixpkgs' meta check globally.
-          extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR; }"
+          extra-nix-args: |
+            --arg useSeparateDerivationForV8 "$RUNNER_TEMP/libv8" \
+            --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
+                openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR;
+              }"
diff --git a/tools/nix/openssl-matrix.nix b/tools/nix/openssl-matrix.nix
@@ -0,0 +1,15 @@
+{
+  pkgs ? import ./pkgs.nix {
+    config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+  },
+}:
+
+{
+  inherit (pkgs)
+    openssl_1_1
+    openssl_3
+    openssl_3_5
+    openssl_3_6
+    openssl_4_0
+    ;
+}
