jobs:
compute-checksums:
runs-on: ubuntu-latest
- outputs:
- fips_status: ${{ steps.fips_result.outputs.fips_status }}
steps:
- name: install unifdef
run: |
cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources
cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums
cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum
- - id: fips_result
- name: diff-fips-checksums (record status)
- run: |
- set +e
- make -C build diff-fips-checksums
- rc=$?
- if [ $rc -eq 0 ]; then
- echo "fips_status=unchanged" >> "$GITHUB_OUTPUT"
- else
- echo "fips_status=changed" >> "$GITHUB_OUTPUT"
- echo "FIPS CHANGED"
- fi
- exit 0
+ - name: make diff-fips-checksums
+ run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED )
+ working-directory: ./build
+ - name: save PR number
+ run: echo ${{ github.event.number }} > ./artifact/pr_num
+ - name: save artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: fips_checksum
+ path: artifact/
compute-abidiff:
runs-on: ubuntu-latest
- outputs:
- abi_status: ${{ steps.abi_result.outputs.abi_status }}
env:
BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd
steps:
- name: make
run: make -s -j4
working-directory: ./build
- - id: abi_result
- name: abidiff (record status)
- run: |
- set +e
- abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so \
- && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so
- rc=$?
- if [ $rc -eq 0 ]; then
- echo "abi_status=unchanged" >> "$GITHUB_OUTPUT"
- else
- echo "abi_status=changed" >> "$GITHUB_OUTPUT"
- echo "ABI CHANGED"
- fi
- exit 0
-
- apply-label:
- permissions:
- contents: read
- pull-requests: write
- needs: [compute-checksums, compute-abidiff]
- runs-on: ubuntu-latest
- steps:
- - name: Apply/Remove labels (github-script)
- uses: actions/github-script@v8
- env:
- PR_NUM: ${{ github.event.number }}
- FIPS_STATUS: ${{ needs.compute-checksums.outputs.fips_status }}
- ABI_STATUS: ${{ needs.compute-abidiff.outputs.abi_status }}
+ - name: abidiff
+ run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED )
+ - name: save PR number
+ run: echo ${{ github.event.number }} > ./artifact/pr_num
+ - name: save artifact
+ uses: actions/upload-artifact@v5
with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const prNum = Number(process.env.PR_NUM);
- const fipsStatus = process.env.FIPS_STATUS;
- const abiStatus = process.env.ABI_STATUS;
- const owner = context.repo.owner;
- const repo = context.repo.repo;
-
- const FIPS_LABEL = 'severity: fips change';
- const ABI_LABEL = 'severity: ABI change';
-
- async function ensureRemoved(label) {
- const { data } = await github.rest.issues.listLabelsOnIssue({ owner, repo, issue_number: prNum });
- const exists = data.some(l => l.name === label);
- if (exists) {
- await github.rest.issues.removeLabel({ owner, repo, issue_number: prNum, name: label });
- core.info(`Removed label: ${label}`);
- } else {
- core.info(`Label not present: ${label}`);
- }
- }
-
- // FIPS
- if (fipsStatus === 'changed') {
- await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [FIPS_LABEL] });
- core.info(`Added label: ${FIPS_LABEL}`);
- } else if (fipsStatus === 'unchanged') {
- await ensureRemoved(FIPS_LABEL);
- } else {
- core.warning(`Unknown FIPS status: ${fipsStatus}`);
- }
-
- // ABI
- if (abiStatus === 'changed') {
- await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [ABI_LABEL] });
- core.info(`Added label: ${ABI_LABEL}`);
- } else if (abiStatus === 'unchanged') {
- await ensureRemoved(ABI_LABEL);
- } else {
- core.warning(`Unknown ABI status: ${abiStatus}`);
- }
+ name: abidiff
+ path: artifact/
--- /dev/null
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: FIPS and ABI Changed Label
+on:
+ workflow_run:
+ workflows: ["FIPS Check and ABIDIFF"]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ apply-label:
+ permissions:
+ actions: read
+ pull-requests: write
+ runs-on: ubuntu-latest
+ if: ${{ github.event.workflow_run.event == 'pull_request' }}
+ steps:
+ - name: 'Download fipscheck artifact'
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ uses: actions/github-script@v8
+ with:
+ script: |
+ var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ run_id: ${{github.event.workflow_run.id }},
+ });
+ var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+ return artifact.name == "fips_checksum"
+ })[0];
+ var download = await github.rest.actions.downloadArtifact({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ artifact_id: matchArtifact.id,
+ archive_format: 'zip',
+ });
+ var fs = require('fs');
+ fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
+ - run: unzip artifact.zip
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ - name: 'Check artifact and apply'
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ uses: actions/github-script@v8
+ with:
+ github-token: ${{secrets.GITHUB_TOKEN}}
+ script: |
+ var fs = require('fs');
+ var pr_num = Number(fs.readFileSync('./pr_num'));
+ if ( fs.existsSync('./fips_changed') ) {
+ github.rest.issues.addLabels({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: ['severity: fips change']
+ });
+ } else if ( fs.existsSync('./fips_unchanged') ) {
+ var labels = await github.rest.issues.listLabelsOnIssue({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo
+ });
+
+ for ( var label in labels.data ) {
+ if (labels.data[label].name == 'severity: fips change') {
+ github.rest.issues.removeLabel({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: 'severity: fips change'
+ });
+ }
+ }
+ }
+ - name: 'Cleanup artifact'
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ run: rm artifact.zip pr_num
+
+ - name: 'Download abidiff artifact'
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ uses: actions/github-script@v8
+ with:
+ script: |
+ var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ run_id: ${{github.event.workflow_run.id }},
+ });
+ var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+ return artifact.name == "abidiff"
+ })[0];
+ var download = await github.rest.actions.downloadArtifact({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ artifact_id: matchArtifact.id,
+ archive_format: 'zip',
+ });
+ var fs = require('fs');
+ fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
+ - run: unzip artifact.zip
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ - name: 'Check artifact and apply'
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ uses: actions/github-script@v8
+ with:
+ github-token: ${{secrets.GITHUB_TOKEN}}
+ script: |
+ var fs = require('fs');
+ var pr_num = Number(fs.readFileSync('./pr_num'));
+ if ( fs.existsSync('./abi_changed') ) {
+ github.rest.issues.addLabels({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: ['severity: ABI change']
+ });
+ } else if ( fs.existsSync('./abi_unchanged') ) {
+ var labels = await github.rest.issues.listLabelsOnIssue({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo
+ });
+
+ for ( var label in labels.data ) {
+ if (labels.data[label].name == 'severity: ABI change') {
+ github.rest.issues.removeLabel({
+ issue_number: pr_num,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: 'severity: ABI change'
+ });
+ }
+ }
+ }
projects / thirdparty / openssl.git / commitdiff
