From: Zachary Ware <zach@python.org>
Date: Mon, 23 Mar 2026 23:28:27 +0000 (-0500)
Subject: [3.14] gh-136728: Combine OpenSSL and AWS-LC CI configurations (GH-144805) (GH-145397)
X-Git-Tag: v3.14.4~79
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d64665b6ae74b54c09a86ae2ea23f578b6927f96;p=thirdparty%2FPython%2Fcpython.git

[3.14] gh-136728: Combine OpenSSL and AWS-LC CI configurations (GH-144805) (GH-145397)

(cherry picked from commit c9b96b1e6fea13dc2879dcc626015c06dc0056ac)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
---

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 258039d64f2f..caa3f5ac6a89 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -289,7 +289,7 @@ jobs:
       os: ${{ matrix.os }}
 
   build-ubuntu-ssltests:
-    name: 'Ubuntu SSL tests with OpenSSL'
+    name: 'Ubuntu SSL tests'
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     needs: build-context
@@ -298,16 +298,23 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-24.04]
-        # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
-        # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
-        # supported by important vendors such as AWS-LC.
-        openssl_ver: [1.1.1w, 3.0.19, 3.3.6, 3.4.4, 3.5.5, 3.6.1]
-        # See Tools/ssl/make_ssl_data.py for notes on adding a new version
+        ssllib:
+          # See Tools/ssl/make_ssl_data.py for notes on adding a new version
+          ## OpenSSL
+          # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
+          # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
+          # supported by important vendors such as AWS-LC.
+          - { name: openssl, version: 1.1.1w }
+          - { name: openssl, version: 3.0.19 }
+          - { name: openssl, version: 3.3.6 }
+          - { name: openssl, version: 3.4.4 }
+          - { name: openssl, version: 3.5.5 }
+          - { name: openssl, version: 3.6.1 }
     env:
-      OPENSSL_VER: ${{ matrix.openssl_ver }}
+      SSLLIB_VER: ${{ matrix.ssllib.version }}
       MULTISSL_DIR: ${{ github.workspace }}/multissl
-      OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}
-      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
+      SSLLIB_DIR: ${{ github.workspace }}/multissl/${{ matrix.ssllib.name }}/${{ matrix.ssllib.version }}
+      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/${{ matrix.ssllib.name }}/${{ matrix.ssllib.version }}/lib
     steps:
     - uses: actions/checkout@v6
       with:
@@ -318,26 +325,37 @@ jobs:
       run: echo "::add-matcher::.github/problem-matchers/gcc.json"
     - name: Install dependencies
       run: sudo ./.github/workflows/posix-deps-apt.sh
-    - name: Configure OpenSSL env vars
-      run: |
-        echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
-        echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}" >> "$GITHUB_ENV"
-        echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> "$GITHUB_ENV"
-    - name: 'Restore OpenSSL build'
-      id: cache-openssl
+    - name: 'Restore SSL library build'
+      id: cache-ssl-lib
       uses: actions/cache@v5
       with:
-        path: ./multissl/openssl/${{ env.OPENSSL_VER }}
-        key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
-    - name: Install OpenSSL
-      if: steps.cache-openssl.outputs.cache-hit != 'true'
-      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux
+        path: ./multissl/${{ matrix.ssllib.name }}/${{ matrix.ssllib.version }}
+        key: ${{ matrix.os }}-multissl-${{ matrix.ssllib.name }}-${{ matrix.ssllib.version }}
+    - name: Install SSL Library
+      if: steps.cache-ssl-lib.outputs.cache-hit != 'true'
+      run: |
+        python3 Tools/ssl/multissltests.py \
+          --steps=library \
+          --base-directory "$MULTISSL_DIR" \
+          '--${{ matrix.ssllib.name }}' '${{ matrix.ssllib.version }}' \
+          --system Linux
     - name: Configure CPython
-      run: ./configure CFLAGS="-fdiagnostics-format=json" --config-cache --enable-slower-safety --with-pydebug --with-openssl="$OPENSSL_DIR"
+      run: |
+        ./configure CFLAGS="-fdiagnostics-format=json" \
+          --config-cache \
+          --enable-slower-safety \
+          --with-pydebug \
+          --with-openssl="$SSLLIB_DIR" \
+          --with-builtin-hashlib-hashes=blake2 \
+          --with-ssl-default-suites=openssl
     - name: Build CPython
       run: make -j4
     - name: Display build info
       run: make pythoninfo
+    - name: Verify python is linked to the right lib
+      run: |
+        ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' \
+          | grep -iE '${{ matrix.ssllib.name }}.*${{ matrix.ssllib.version }}'
     - name: SSL tests
       run: ./python Lib/test/ssltests.py