wolfssl/.github/workflows/smoke-test.yml at 5bdb96cf7d18803fef2dc7fd960825a3dc85b389 · wolfSSL/wolfssl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Smoke Test

# Fast pre-flight build + make check across common-failure configs derived
# from the Jenkins PRB top-10 (last 30 days). Intentionally runs on drafts
# too: this is the gate that protects the rest of CI. Other PR workflows
# wait for this via .github/actions/wait-for-smoke.
#
# CFLAGS=-Werror is applied at make time only (not ./configure) so autoconf
# feature detection is not poisoned by benign warnings in conftest probes.
#
# For pull_request events the workflow tests the POST-MERGE tree:
# the PR head is checked out, the base branch is merged in, and:
#   * a merge conflict fails the job before any build runs.
#   * if the PR tree is identical to base (no diff), the matrix is skipped.
#   * otherwise the build runs against the merged tree.
# This catches stale PRs whose head builds clean but whose merge with
# current master would break.

on:
  push:
    branches: [ master, main ]
    paths-ignore:
      - '**/*.md'
      - 'doc/**'
      - 'AUTHORS'
      - 'LICENSING'
      - 'ChangeLog.md'
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    branches: [ master, main ]

concurrency:
  group: smoke-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  smoke:
    runs-on: ubuntu-24.04
    timeout-minutes: 25
    strategy:
      fail-fast: false
      matrix:
        config:
          - name: default
            args: ""
          - name: enable-all
            args: "--enable-all"
          - name: opensslextra
            args: "--enable-opensslextra"
          - name: enable-all-smallstack
            args: "--enable-all --enable-smallstack"
          - name: cryptonly
            args: "--enable-cryptonly"
          # Below entries target the top Jenkins PRB failure modes
          # (-Werror unused-function / implicit-decl / link errors).
          - name: leantls-extra
            args: "--enable-leantls --enable-session-ticket --enable-sni --enable-opensslextra"
          - name: dtls-suite
            args: "--enable-psk --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-aesccm --enable-opensslextra"
          - name: integration
            args: "--enable-openssh --enable-lighty --enable-stunnel --enable-opensslextra"
          # AddressSanitizer (UBSAN excluded - current master has known
          # left-shift UB in auto-generated SP math).
          - name: sanitize-asan
            args: "--enable-all"
            cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
            ldflags: "-fsanitize=address"
    env:
      MAKE_CFLAGS: "-Werror"
    steps:
      # For PRs we explicitly check out the PR head (not the auto-merge
      # ref) and do the merge ourselves below so we can fail fast on
      # conflicts. For push events we just check out the pushed SHA.
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Merge base into PR head (fail fast on conflict)
        id: merge_check
        if: github.event_name == 'pull_request'
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          set -e
          git config user.email "ci@wolfssl.invalid"
          git config user.name "wolfSSL CI Merge"
          git fetch --no-tags origin "$BASE_REF"
          BASE_SHA=$(git rev-parse FETCH_HEAD)
          if git diff --quiet "$BASE_SHA" HEAD; then
            echo "::notice::PR tree is identical to $BASE_REF; skipping smoke matrix."
            echo "skip=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          if ! git merge --no-ff --no-commit "$BASE_SHA"; then
            echo "::error::Merge conflicts with $BASE_REF - please rebase or merge $BASE_REF into the PR branch before testing."
            git merge --abort || true
            exit 1
          fi
          echo "skip=false" >> "$GITHUB_OUTPUT"
          echo "Clean merge with $BASE_REF; testing post-merge tree."

      - name: Install dependencies
        if: steps.merge_check.outputs.skip != 'true'
        uses: ./.github/actions/install-apt-deps
        with:
          packages: autoconf automake libtool build-essential

      - name: autogen
        if: steps.merge_check.outputs.skip != 'true'
        run: ./autogen.sh

      - name: configure ${{ matrix.config.name }}
        if: steps.merge_check.outputs.skip != 'true'
        run: ./configure ${{ matrix.config.args }}

      - name: make
        if: steps.merge_check.outputs.skip != 'true'
        env:
          ENTRY_CFLAGS: ${{ matrix.config.cflags }}
          ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
        run: |
          FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
          make -j"$(nproc)" CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"

      - name: make check
        if: steps.merge_check.outputs.skip != 'true'
        env:
          ENTRY_CFLAGS: ${{ matrix.config.cflags }}
          ENTRY_LDFLAGS: ${{ matrix.config.ldflags }}
        run: |
          FLAGS="${ENTRY_CFLAGS:-$MAKE_CFLAGS}"
          make check CFLAGS="$FLAGS" LDFLAGS="$ENTRY_LDFLAGS"