jobs:
compute-checksums:
runs-on: ubuntu-latest
+ outputs:
+ fips_status: ${{ steps.fips_result.outputs.fips_status }}
steps:
- name: install unifdef
run: |
cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources
cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums
cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum
- - name: make diff-fips-checksums
- run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED )
- working-directory: ./build
- - name: save PR number
- run: echo ${{ github.event.number }} > ./artifact/pr_num
- - name: save artifact
- uses: actions/upload-artifact@v4
- with:
- name: fips_checksum
- path: artifact/
+ - id: fips_result
+ name: diff-fips-checksums (record status)
+ run: |
+ set +e
+ make -C build diff-fips-checksums
+ rc=$?
+ if [ $rc -eq 0 ]; then
+ echo "fips_status=unchanged" >> "$GITHUB_OUTPUT"
+ else
+ echo "fips_status=changed" >> "$GITHUB_OUTPUT"
+ echo "FIPS CHANGED"
+ fi
+ exit 0
compute-abidiff:
runs-on: ubuntu-latest
+ outputs:
+ abi_status: ${{ steps.abi_result.outputs.abi_status }}
env:
BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd
steps:
- name: make
run: make -s -j4
working-directory: ./build
- - name: abidiff
- run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED )
- - name: save PR number
- run: echo ${{ github.event.number }} > ./artifact/pr_num
- - name: save artifact
- uses: actions/upload-artifact@v4
+ - id: abi_result
+ name: abidiff (record status)
+ run: |
+ set +e
+ abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so \
+ && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so
+ rc=$?
+ if [ $rc -eq 0 ]; then
+ echo "abi_status=unchanged" >> "$GITHUB_OUTPUT"
+ else
+ echo "abi_status=changed" >> "$GITHUB_OUTPUT"
+ echo "ABI CHANGED"
+ fi
+ exit 0
+
+ apply-label:
+ permissions:
+ contents: read
+ pull-requests: write
+ needs: [compute-checksums, compute-abidiff]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Apply/Remove labels (github-script)
+ uses: actions/github-script@v7
+ env:
+ PR_NUM: ${{ github.event.number }}
+ FIPS_STATUS: ${{ needs.compute-checksums.outputs.fips_status }}
+ ABI_STATUS: ${{ needs.compute-abidiff.outputs.abi_status }}
with:
- name: abidiff
- path: artifact/
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const prNum = Number(process.env.PR_NUM);
+ const fipsStatus = process.env.FIPS_STATUS;
+ const abiStatus = process.env.ABI_STATUS;
+ const owner = context.repo.owner;
+ const repo = context.repo.repo;
+
+ const FIPS_LABEL = 'severity: fips change';
+ const ABI_LABEL = 'severity: ABI change';
+
+ async function ensureRemoved(label) {
+ const { data } = await github.rest.issues.listLabelsOnIssue({ owner, repo, issue_number: prNum });
+ const exists = data.some(l => l.name === label);
+ if (exists) {
+ await github.rest.issues.removeLabel({ owner, repo, issue_number: prNum, name: label });
+ core.info(`Removed label: ${label}`);
+ } else {
+ core.info(`Label not present: ${label}`);
+ }
+ }
+
+ // FIPS
+ if (fipsStatus === 'changed') {
+ await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [FIPS_LABEL] });
+ core.info(`Added label: ${FIPS_LABEL}`);
+ } else if (fipsStatus === 'unchanged') {
+ await ensureRemoved(FIPS_LABEL);
+ } else {
+ core.warning(`Unknown FIPS status: ${fipsStatus}`);
+ }
+
+ // ABI
+ if (abiStatus === 'changed') {
+ await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [ABI_LABEL] });
+ core.info(`Added label: ${ABI_LABEL}`);
+ } else if (abiStatus === 'unchanged') {
+ await ensureRemoved(ABI_LABEL);
+ } else {
+ core.warning(`Unknown ABI status: ${abiStatus}`);
+ }
+++ /dev/null
-# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License"). You may not use
-# this file except in compliance with the License. You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: FIPS and ABI Changed Label
-on:
- workflow_run:
- workflows: ["FIPS Check and ABIDIFF"]
- types:
- - completed
-
-permissions:
- contents: read
-
-jobs:
- apply-label:
- permissions:
- actions: read
- pull-requests: write
- runs-on: ubuntu-latest
- if: ${{ github.event.workflow_run.event == 'pull_request' }}
- steps:
- - name: 'Download fipscheck artifact'
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- uses: actions/github-script@v7
- with:
- script: |
- var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
- owner: context.repo.owner,
- repo: context.repo.repo,
- run_id: ${{github.event.workflow_run.id }},
- });
- var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
- return artifact.name == "fips_checksum"
- })[0];
- var download = await github.rest.actions.downloadArtifact({
- owner: context.repo.owner,
- repo: context.repo.repo,
- artifact_id: matchArtifact.id,
- archive_format: 'zip',
- });
- var fs = require('fs');
- fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
- - run: unzip artifact.zip
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- - name: 'Check artifact and apply'
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- uses: actions/github-script@v7
- with:
- github-token: ${{secrets.GITHUB_TOKEN}}
- script: |
- var fs = require('fs');
- var pr_num = Number(fs.readFileSync('./pr_num'));
- if ( fs.existsSync('./fips_changed') ) {
- github.rest.issues.addLabels({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo,
- labels: ['severity: fips change']
- });
- } else if ( fs.existsSync('./fips_unchanged') ) {
- var labels = await github.rest.issues.listLabelsOnIssue({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo
- });
-
- for ( var label in labels.data ) {
- if (labels.data[label].name == 'severity: fips change') {
- github.rest.issues.removeLabel({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: 'severity: fips change'
- });
- }
- }
- }
- - name: 'Cleanup artifact'
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- run: rm artifact.zip pr_num
-
- - name: 'Download abidiff artifact'
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- uses: actions/github-script@v7
- with:
- script: |
- var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
- owner: context.repo.owner,
- repo: context.repo.repo,
- run_id: ${{github.event.workflow_run.id }},
- });
- var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
- return artifact.name == "abidiff"
- })[0];
- var download = await github.rest.actions.downloadArtifact({
- owner: context.repo.owner,
- repo: context.repo.repo,
- artifact_id: matchArtifact.id,
- archive_format: 'zip',
- });
- var fs = require('fs');
- fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
- - run: unzip artifact.zip
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- - name: 'Check artifact and apply'
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- uses: actions/github-script@v7
- with:
- github-token: ${{secrets.GITHUB_TOKEN}}
- script: |
- var fs = require('fs');
- var pr_num = Number(fs.readFileSync('./pr_num'));
- if ( fs.existsSync('./abi_changed') ) {
- github.rest.issues.addLabels({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo,
- labels: ['severity: ABI change']
- });
- } else if ( fs.existsSync('./abi_unchanged') ) {
- var labels = await github.rest.issues.listLabelsOnIssue({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo
- });
-
- for ( var label in labels.data ) {
- if (labels.data[label].name == 'severity: ABI change') {
- github.rest.issues.removeLabel({
- issue_number: pr_num,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: 'severity: ABI change'
- });
- }
- }
- }
projects / thirdparty / openssl.git / commitdiff
