Bump actions/checkout from 2 to 4 #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: {} | |
push: | |
branches: | |
- master | |
- '*.*.x' | |
tags: | |
- '*.*' | |
- '*.*.*' | |
jobs: | |
linux: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
PYTHON: | |
- {VERSION: "3.9", TOXENV: "pep8,packaging,docs", COVERAGE: "false"} | |
- {VERSION: "pypy2", TOXENV: "pypy-nocoverage", COVERAGE: "false"} | |
- {VERSION: "pypy3", TOXENV: "pypy3-nocoverage", COVERAGE: "false"} | |
- {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} | |
- {VERSION: "2.7", TOXENV: "py27-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} | |
- {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}} | |
- {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.4"}} | |
- {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.2"}} | |
name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
- run: git clone --depth=1 https://github.com/google/wycheproof | |
- run: python -m pip install tox requests coverage | |
- name: Compute config hash and set config vars | |
run: | | |
DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" | |
CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS" | |
CONFIG_HASH=$(echo "$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//') | |
echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV | |
echo "CONFIG_HASH=${CONFIG_HASH}" >> $GITHUB_ENV | |
echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV | |
echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_HASH}" >> $GITHUB_ENV | |
env: | |
CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} | |
if: matrix.PYTHON.OPENSSL | |
- name: Load cache | |
uses: actions/cache@v2 | |
id: ossl-cache | |
with: | |
path: ${{ github.workspace }}/osslcache | |
# When altering the openssl build process you may need to increment the value on the end of this cache key | |
# so that you can prevent it from fetching the cache and skipping the build step. | |
key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-1 | |
if: matrix.PYTHON.OPENSSL | |
- name: Build custom OpenSSL/LibreSSL | |
run: .github/workflows/build_openssl.sh | |
env: | |
TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }} | |
VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }} | |
if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true' | |
- name: Set CFLAGS/LDFLAGS | |
run: | | |
echo "CFLAGS=${CFLAGS} -I${OSSL_PATH}/include" >> $GITHUB_ENV | |
echo "LDFLAGS=${LDFLAGS} -L${OSSL_PATH}/lib -Wl,-rpath=${OSSL_PATH}/lib" >> $GITHUB_ENV | |
if: matrix.PYTHON.OPENSSL | |
- name: Tests | |
run: | | |
tox -r -- --color=yes --wycheproof-root=wycheproof | |
env: | |
TOXENV: ${{ matrix.PYTHON.TOXENV }} | |
- uses: ./.github/actions/upload-coverage | |
with: | |
name: "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}" | |
if: matrix.PYTHON.COVERAGE != 'false' | |
linux-distros: | |
runs-on: ubuntu-latest | |
container: ${{ matrix.IMAGE.IMAGE }} | |
strategy: | |
matrix: | |
IMAGE: | |
- {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"} | |
- {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"} | |
- {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1"} | |
- {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"} | |
- {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"} | |
- {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"} | |
- {IMAGE: "pyca/cryptography-runner-sid", TOXENV: "py39"} | |
- {IMAGE: "pyca/cryptography-runner-ubuntu-bionic", TOXENV: "py36"} | |
- {IMAGE: "pyca/cryptography-runner-ubuntu-focal", TOXENV: "py38"} | |
- {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py27"} | |
- {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38"} | |
- {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"} | |
- {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"} | |
- {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"} | |
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"' | |
- run: 'echo "$ENV_VAR" >> $GITHUB_ENV' | |
if: matrix.IMAGE.ENV | |
env: | |
ENV_VAR: ${{ matrix.IMAGE.ENV }} | |
- run: 'tox -- --wycheproof-root="$HOME/wycheproof"' | |
env: | |
TOXENV: ${{ matrix.IMAGE.TOXENV }} | |
- uses: ./.github/actions/upload-coverage | |
with: | |
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}" | |
macos: | |
runs-on: macos-latest | |
strategy: | |
matrix: | |
PYTHON: | |
- {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""} | |
- {VERSION: "3.6", TOXENV: "py36", EXTRA_CFLAGS: ""} | |
- {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"} | |
name: "Python ${{ matrix.PYTHON.VERSION }} on macOS" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
- run: python -m pip install tox requests coverage | |
- run: git clone https://github.com/google/wycheproof | |
- name: Download OpenSSL | |
run: | | |
python .github/workflows/download_openssl.py macos openssl-macos-x86-64 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Tests | |
run: | | |
CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \ | |
LDFLAGS="${HOME}/openssl-macos-x86-64/lib/libcrypto.a ${HOME}/openssl-macos-x86-64/lib/libssl.a" \ | |
CFLAGS="-I${HOME}/openssl-macos-x86-64/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \ | |
tox -r -- --color=yes --wycheproof-root=wycheproof | |
env: | |
TOXENV: ${{ matrix.PYTHON.TOXENV }} | |
EXTRA_CFLAGS: ${{ matrix.PYTHON.EXTRA_CFLAGS }} | |
- uses: ./.github/actions/upload-coverage | |
with: | |
name: "Python ${{ matrix.PYTHON.VERSION }} on macOS" | |
windows: | |
runs-on: windows-latest | |
strategy: | |
matrix: | |
WINDOWS: | |
- {ARCH: 'x86', WINDOWS: 'win32'} | |
- {ARCH: 'x64', WINDOWS: 'win64'} | |
PYTHON: | |
- {VERSION: "2.7", TOXENV: "py27", MSVC_VERSION: "2010", CL_FLAGS: ""} | |
- {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""} | |
- {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""} | |
- {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""} | |
- {VERSION: "3.9", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"} | |
name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
architecture: ${{ matrix.WINDOWS.ARCH }} | |
- name: Install MSVC for Python 2.7 | |
run: | | |
Invoke-WebRequest -Uri https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi -OutFile VCForPython27.msi | |
Start-Process msiexec -Wait -ArgumentList @('/i', 'VCForPython27.msi', '/qn', 'ALLUSERS=1') | |
Remove-Item VCForPython27.msi -Force | |
shell: powershell | |
if: matrix.PYTHON.VERSION == '2.7' | |
- run: python -m pip install tox requests coverage | |
- name: Download OpenSSL | |
run: | | |
python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }} | |
echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV | |
echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV | |
echo "CL=${{ matrix.PYTHON.CL_FLAGS }}" >> $GITHUB_ENV | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
shell: bash | |
- run: git clone https://github.com/google/wycheproof | |
- run: tox -r -- --color=yes --wycheproof-root=wycheproof | |
env: | |
TOXENV: ${{ matrix.PYTHON.TOXENV }} | |
- uses: ./.github/actions/upload-coverage | |
with: | |
name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}" | |
linux-downstream: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
DOWNSTREAM: | |
- paramiko | |
- pyopenssl | |
- twisted | |
- aws-encryption-sdk | |
- dynamodb-encryption-sdk | |
- certbot | |
- certbot-josepy | |
name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.7 | |
- run: python -m pip install -U pip wheel | |
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install | |
- run: pip uninstall -y enum34 | |
- run: pip install . | |
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run | |
docs-linkcheck: | |
if: github.event_name == 'push' && github.ref == 'refs/heads/master' | |
runs-on: ubuntu-latest | |
name: "linkcheck" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.9 | |
- run: python -m pip install -U tox | |
- run: tox -r -- --color=yes | |
env: | |
TOXENV: docs-linkcheck |