From: Dmitry Misharov Date: Mon, 10 Nov 2025 09:11:18 +0000 (+0100) Subject: revert changes in "FIPS Check and ABIDIFF" workflow X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~206 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd79a2317406bc10594b5388de48ba6aa29b5848;p=thirdparty%2Fopenssl.git revert changes in "FIPS Check and ABIDIFF" workflow Applying labels is not possible from pull request context. This commit reverts changes from 8948ccdf03435368cd894b944b116e6c5a17ec59 commit. Reviewed-by: Saša Nedvědický Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/29112) --- diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 1c38204b1e0..67e7cd13a96 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -14,8 +14,6 @@ permissions: jobs: compute-checksums: runs-on: ubuntu-latest - outputs: - fips_status: ${{ steps.fips_result.outputs.fips_status }} steps: - name: install unifdef run: | @@ -67,24 +65,19 @@ jobs: cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum - - id: fips_result - name: diff-fips-checksums (record status) - run: | - set +e - make -C build diff-fips-checksums - rc=$? - if [ $rc -eq 0 ]; then - echo "fips_status=unchanged" >> "$GITHUB_OUTPUT" - else - echo "fips_status=changed" >> "$GITHUB_OUTPUT" - echo "FIPS CHANGED" - fi - exit 0 + - name: make diff-fips-checksums + run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED ) + working-directory: ./build + - name: save PR number + run: echo ${{ github.event.number }} > ./artifact/pr_num + - name: save artifact + uses: actions/upload-artifact@v4 + with: + name: fips_checksum + path: artifact/ compute-abidiff: runs-on: ubuntu-latest - outputs: - abi_status: ${{ steps.abi_result.outputs.abi_status }} env: BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd steps: @@ -119,73 +112,12 @@ jobs: - name: make run: make -s -j4 working-directory: ./build - - id: abi_result - name: abidiff (record status) - run: | - set +e - abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so \ - && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so - rc=$? - if [ $rc -eq 0 ]; then - echo "abi_status=unchanged" >> "$GITHUB_OUTPUT" - else - echo "abi_status=changed" >> "$GITHUB_OUTPUT" - echo "ABI CHANGED" - fi - exit 0 - - apply-label: - permissions: - contents: read - pull-requests: write - needs: [compute-checksums, compute-abidiff] - runs-on: ubuntu-latest - steps: - - name: Apply/Remove labels (github-script) - uses: actions/github-script@v8 - env: - PR_NUM: ${{ github.event.number }} - FIPS_STATUS: ${{ needs.compute-checksums.outputs.fips_status }} - ABI_STATUS: ${{ needs.compute-abidiff.outputs.abi_status }} + - name: abidiff + run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED ) + - name: save PR number + run: echo ${{ github.event.number }} > ./artifact/pr_num + - name: save artifact + uses: actions/upload-artifact@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const prNum = Number(process.env.PR_NUM); - const fipsStatus = process.env.FIPS_STATUS; - const abiStatus = process.env.ABI_STATUS; - const owner = context.repo.owner; - const repo = context.repo.repo; - - const FIPS_LABEL = 'severity: fips change'; - const ABI_LABEL = 'severity: ABI change'; - - async function ensureRemoved(label) { - const { data } = await github.rest.issues.listLabelsOnIssue({ owner, repo, issue_number: prNum }); - const exists = data.some(l => l.name === label); - if (exists) { - await github.rest.issues.removeLabel({ owner, repo, issue_number: prNum, name: label }); - core.info(`Removed label: ${label}`); - } else { - core.info(`Label not present: ${label}`); - } - } - - // FIPS - if (fipsStatus === 'changed') { - await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [FIPS_LABEL] }); - core.info(`Added label: ${FIPS_LABEL}`); - } else if (fipsStatus === 'unchanged') { - await ensureRemoved(FIPS_LABEL); - } else { - core.warning(`Unknown FIPS status: ${fipsStatus}`); - } - - // ABI - if (abiStatus === 'changed') { - await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [ABI_LABEL] }); - core.info(`Added label: ${ABI_LABEL}`); - } else if (abiStatus === 'unchanged') { - await ensureRemoved(ABI_LABEL); - } else { - core.warning(`Unknown ABI status: ${abiStatus}`); - } + name: abidiff + path: artifact/ diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml new file mode 100644 index 00000000000..0dc8f576a0b --- /dev/null +++ b/.github/workflows/fips-label.yml @@ -0,0 +1,141 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +name: FIPS and ABI Changed Label +on: + workflow_run: + workflows: ["FIPS Check and ABIDIFF"] + types: + - completed + +permissions: + contents: read + +jobs: + apply-label: + permissions: + actions: read + pull-requests: write + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.event == 'pull_request' }} + steps: + - name: 'Download fipscheck artifact' + if: ${{ github.event.workflow_run.conclusion == 'success' }} + uses: actions/github-script@v8 + with: + script: | + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "fips_checksum" + })[0]; + var download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); + - run: unzip artifact.zip + if: ${{ github.event.workflow_run.conclusion == 'success' }} + - name: 'Check artifact and apply' + if: ${{ github.event.workflow_run.conclusion == 'success' }} + uses: actions/github-script@v8 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + var fs = require('fs'); + var pr_num = Number(fs.readFileSync('./pr_num')); + if ( fs.existsSync('./fips_changed') ) { + github.rest.issues.addLabels({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['severity: fips change'] + }); + } else if ( fs.existsSync('./fips_unchanged') ) { + var labels = await github.rest.issues.listLabelsOnIssue({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo + }); + + for ( var label in labels.data ) { + if (labels.data[label].name == 'severity: fips change') { + github.rest.issues.removeLabel({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo, + name: 'severity: fips change' + }); + } + } + } + - name: 'Cleanup artifact' + if: ${{ github.event.workflow_run.conclusion == 'success' }} + run: rm artifact.zip pr_num + + - name: 'Download abidiff artifact' + if: ${{ github.event.workflow_run.conclusion == 'success' }} + uses: actions/github-script@v8 + with: + script: | + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "abidiff" + })[0]; + var download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); + - run: unzip artifact.zip + if: ${{ github.event.workflow_run.conclusion == 'success' }} + - name: 'Check artifact and apply' + if: ${{ github.event.workflow_run.conclusion == 'success' }} + uses: actions/github-script@v8 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + var fs = require('fs'); + var pr_num = Number(fs.readFileSync('./pr_num')); + if ( fs.existsSync('./abi_changed') ) { + github.rest.issues.addLabels({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['severity: ABI change'] + }); + } else if ( fs.existsSync('./abi_unchanged') ) { + var labels = await github.rest.issues.listLabelsOnIssue({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo + }); + + for ( var label in labels.data ) { + if (labels.data[label].name == 'severity: ABI change') { + github.rest.issues.removeLabel({ + issue_number: pr_num, + owner: context.repo.owner, + repo: context.repo.repo, + name: 'severity: ABI change' + }); + } + } + }