From 38311ff298a83173362d4f4835fe423f2f01e9ae Mon Sep 17 00:00:00 2001 From: Adrien Cacciaguerra Date: Tue, 16 Apr 2024 15:20:31 -0400 Subject: [PATCH] feat: add CodSpeed to the project --- .github/workflows/auto-close-stale.yml | 23 - .github/workflows/benchmark.yml | 46 +- .../workflows/boring-open-version-bump.yml | 71 --- .github/workflows/build_openssl.sh | 80 --- .github/workflows/ci.yml | 491 ------------------ .github/workflows/linkcheck.yml | 45 -- .github/workflows/lock.yml | 19 - .github/workflows/pypi-publish.yml | 99 ---- .github/workflows/wheel-builder.yml | 345 ------------ .github/workflows/x509-limbo-version-bump.yml | 70 --- .gitignore | 1 + ci-constraints-requirements.txt | 3 + pyproject.toml | 1 + 13 files changed, 18 insertions(+), 1276 deletions(-) delete mode 100644 .github/workflows/auto-close-stale.yml delete mode 100644 .github/workflows/boring-open-version-bump.yml delete mode 100755 .github/workflows/build_openssl.sh delete mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/linkcheck.yml delete mode 100644 .github/workflows/lock.yml delete mode 100644 .github/workflows/pypi-publish.yml delete mode 100644 .github/workflows/wheel-builder.yml delete mode 100644 .github/workflows/x509-limbo-version-bump.yml diff --git a/.github/workflows/auto-close-stale.yml b/.github/workflows/auto-close-stale.yml deleted file mode 100644 index de269c8aceac..000000000000 --- a/.github/workflows/auto-close-stale.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Auto-close stale issues -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * *' - -permissions: - issues: "write" - pull-requests: "write" - -jobs: - auto-close: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - only-labels: waiting-on-reporter - days-before-stale: 3 - days-before-close: 5 - stale-issue-message: "This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days." - close-issue-message: "This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it." - close-issue-reason: completed diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 196e9905ac21..42b21ecbb3b2 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -1,23 +1,18 @@ name: Benchmark on: + push: + branches: + - main pull_request: paths: - '.github/workflows/benchmark.yml' - 'src/**' - 'tests/**' workflow_dispatch: - inputs: - base_commit: - description: The base commit to compare against - permissions: contents: read -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - env: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse @@ -28,38 +23,23 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 - with: - persist-credentials: false - path: "cryptography-pr" - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - repository: "pyca/cryptography" - path: "cryptography-base" - ref: "${{ github.event.inputs.base_commit || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 - uses: ./cryptography-base/.github/actions/fetch-vectors + uses: ./.github/actions/fetch-vectors - name: Setup python id: setup-python uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: - python-version: "3.11" + python-version: "3.12" - - name: Create virtualenv (base) - run: | - python -m venv .venv-base - .venv-base/bin/pip install -v -c ./cryptography-base/ci-constraints-requirements.txt "./cryptography-base[test]" ./cryptography-base/vectors/ - - name: Create virtualenv (PR) + - name: Create virtualenv run: | - python -m venv .venv-pr - .venv-pr/bin/pip install -v -c ./cryptography-pr/ci-constraints-requirements.txt "./cryptography-pr[test]" ./cryptography-pr/vectors/ + python -m venv .venv + .venv/bin/pip install -v -c ./ci-constraints-requirements.txt "./[test]" ./vectors/ - - name: Run benchmarks (base) - run: .venv-base/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-base.json --x509-limbo-root=x509-limbo/ - - name: Run benchmarks (PR) - run: .venv-pr/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-pr.json --x509-limbo-root=x509-limbo/ - - - name: Compare results - run: python ./cryptography-pr/.github/compare_benchmarks.py bench-base.json bench-pr.json | tee -a $GITHUB_STEP_SUMMARY + - name: Run benchmarks + uses: CodSpeedHQ/action@v2 + with: + token: ${{ secrets.CODSPEED_TOKEN }} + run: .venv/bin/pytest --codspeed --benchmark-enable --benchmark-only ./tests/bench/ --benchmark-json=bench-pr.json --x509-limbo-root=x509-limbo/ diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml deleted file mode 100644 index 7b90df1a76c5..000000000000 --- a/.github/workflows/boring-open-version-bump.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Bump BoringSSL and/or OpenSSL -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - # Run daily - - cron: "0 0 * * *" - -jobs: - bump: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - id: check-sha-boring - run: | - SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) - LAST_COMMIT=$(grep boringssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/workflows/ci.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## BoringSSL\n[Commit: ${SHA}](https://boringssl.googlesource.com/boringssl/+/${SHA})\n\n[Diff](https://boringssl.googlesource.com/boringssl/+/${LAST_COMMIT}..${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - - fi - - id: check-sha-openssl - run: | - SHA=$(git ls-remote https://github.com/openssl/openssl refs/heads/master | cut -f1) - LAST_COMMIT=$(grep openssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/workflows/ci.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## OpenSSL\n[Commit: ${SHA}](https://github.com/openssl/openssl/commit/${SHA})\n\n[Diff](https://github.com/openssl/openssl/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update boring - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the BoringSSL master branch.*/Latest commit on the BoringSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"boringssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"boringssl\", VERSION: \"${{ steps.check-sha-boring.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml - git status - if: steps.check-sha-boring.outputs.COMMIT_SHA - - name: Update OpenSSL - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the OpenSSL master branch.*/Latest commit on the OpenSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml - git status - if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.BORINGBOT_APP_ID }} - private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} - if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 - with: - branch: "bump-openssl-boringssl" - commit-message: "Bump BoringSSL and/or OpenSSL in CI" - title: "Bump BoringSSL and/or OpenSSL in CI" - author: "pyca-boringbot[bot] " - body: | - ${{ steps.check-sha-boring.outputs.COMMIT_MSG }} - ${{ steps.check-sha-openssl.outputs.COMMIT_MSG }} - token: ${{ steps.generate-token.outputs.token }} - if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh deleted file mode 100755 index 72b06e0b8f3e..000000000000 --- a/.github/workflows/build_openssl.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/bash -set -e -set -x - -shlib_sed() { - # modify the shlib version to a unique one to make sure the dynamic - # linker doesn't load the system one. - sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile - sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile - sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile -} -shlib_sed_3() { - # OpenSSL 3 changes how it does the shlib versioning - sed -i "s/^SHLIB_VERSION=.*/SHLIB_VERSION=100/" VERSION.dat -} - -if [[ "${TYPE}" == "openssl" ]]; then - if [[ "${VERSION}" =~ ^[0-9a-f]{40}$ ]]; then - git clone https://github.com/openssl/openssl - pushd openssl - git checkout "${VERSION}" - else - curl -LO "https://github.com/openssl/openssl/releases/download/openssl-${VERSION}/openssl-${VERSION}.tar.gz" - tar zxf "openssl-${VERSION}.tar.gz" - pushd "openssl-${VERSION}" - fi - # For OpenSSL 3 we need to call this before config - if [[ "${VERSION}" =~ ^3. ]] || [[ "${VERSION}" =~ ^[0-9a-f]{40}$ ]]; then - shlib_sed_3 - fi - - # CONFIG_FLAGS is a global coming from a previous step - ./config ${CONFIG_FLAGS} -fPIC --prefix="${OSSL_PATH}" - - # For OpenSSL 1 we need to call this after config - if [[ "${VERSION}" =~ ^1. ]]; then - shlib_sed - fi - make depend - make -j"$(nproc)" - # avoid installing the docs (for performance) - # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728 - make install_sw install_ssldirs - # delete binaries we don't need - rm -rf "${OSSL_PATH}/bin" - # For OpenSSL 3.0.0 set up the FIPS config. This does not activate it by - # default, but allows programmatic activation at runtime - if [[ "${VERSION}" =~ ^3. && "${CONFIG_FLAGS}" =~ enable-fips ]]; then - # As of alpha16 we have to install it separately and enable it in the config flags - make -j"$(nproc)" install_fips - pushd "${OSSL_PATH}" - # include the conf file generated as part of install_fips - sed -i "s:# .include fipsmodule.cnf:.include $(pwd)/ssl/fipsmodule.cnf:" ssl/openssl.cnf - # uncomment the FIPS section - sed -i 's:# fips = fips_sect:fips = fips_sect:' ssl/openssl.cnf - popd - fi - popd -elif [[ "${TYPE}" == "libressl" ]]; then - curl -LO "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" - tar zxf "libressl-${VERSION}.tar.gz" - pushd "libressl-${VERSION}" - cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" install - # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly - rm -rf "${OSSL_PATH}/bin" - rm -rf "${OSSL_PATH}/share" - rm -rf "${OSSL_PATH}/lib/libtls*" - popd -elif [[ "${TYPE}" == "boringssl" ]]; then - git clone https://boringssl.googlesource.com/boringssl - pushd boringssl - git checkout "${VERSION}" - cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" install - # delete binaries we don't need - rm -rf "${OSSL_PATH}/bin" - popd - rm -rf boringssl/ -fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index b749c16bbb28..000000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,491 +0,0 @@ -name: CI -on: - pull_request: {} - push: - branches: - - main - - '*.*.x' - tags: - - '*.*' - - '*.*.*' - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - -env: - CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse - CARGO_INCREMENTAL: 0 - -jobs: - linux: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - PYTHON: - - {VERSION: "3.12", NOXSESSION: "flake"} - - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} - - {VERSION: "3.13-dev", NOXSESSION: "tests"} - - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.15"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.7"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.2"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.7"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.3"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.4.0-alpha1"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Sep 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9224e6d138f789b2db9f23b40dd016fffcdfd59e"}} - # Latest commit on the OpenSSL master branch, as of Sep 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c4a5d70d98cf57434cd4f7a1ae890a2e3d09c434"}} - # Builds with various Rust versions. Includes MSRV and next - # potential future MSRV. - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} - - {VERSION: "3.12", NOXSESSION: "tests-rust-debug"} - timeout-minutes: 15 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - name: Setup rust - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: ${{ matrix.PYTHON.RUST }} - components: rustfmt,clippy - if: matrix.PYTHON.RUST - - - run: rustup component add llvm-tools-preview - if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' - - name: Compute config hash and set config vars - run: | - DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" - CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS" - OPENSSL_HASH=$(echo "${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//') - echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV - echo "OPENSSL_HASH=${OPENSSL_HASH}" >> $GITHUB_ENV - echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV - echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${OPENSSL_HASH}" >> $GITHUB_ENV - env: - CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} - if: matrix.PYTHON.OPENSSL - - name: Load OpenSSL cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: ossl-cache - timeout-minutes: 2 - with: - path: ${{ github.workspace }}/osslcache - # When altering the openssl build process you may need to increment - # the value on the end of this cache key so that you can prevent it - # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-12 - if: matrix.PYTHON.OPENSSL - - name: Build custom OpenSSL/LibreSSL - run: .github/workflows/build_openssl.sh - env: - TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }} - VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }} - if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true' - - name: Set CFLAGS/LDFLAGS - run: | - echo "OPENSSL_DIR=${OSSL_PATH}" >> $GITHUB_ENV - echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV - echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV - if: matrix.PYTHON.OPENSSL - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - # We have both the Python version from the matrix and from the - # setup-python step because the latter doesn't distinguish - # pypy3-3.8 and pypy3-3.9 -- both of them show up as 7.3.11. - key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }} - - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - name: Create nox environment - run: | - nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: | - nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo ${{ matrix.PYTHON.NOXARGS }} - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - CRYPTOGRAPHY_OPENSSL_NO_LEGACY: ${{ matrix.PYTHON.OPENSSL.NO_LEGACY }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - - uses: ./.github/actions/upload-coverage - - distros: - runs-on: ${{ matrix.IMAGE.RUNNER }} - container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }} - strategy: - fail-fast: false - matrix: - IMAGE: - - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-focal", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-jammy", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-noble", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-rolling", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "fedora", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "centos-stream9", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - timeout-minutes: 15 - env: - RUSTUP_HOME: /root/.rustup - steps: - - name: Ridiculous alpine workaround for actions support on arm64 - run: | - # This modifies /etc/os-release so the JS actions - # from GH can't detect that it's on alpine:aarch64. It will - # then use a glibc nodejs, which works fine when gcompat - # is installed in the container (which it is) - sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release - if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.IMAGE.IMAGE }} - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - # When run in a docker container the home directory doesn't have the same owner as the - # apparent user so pip refuses to create a cache dir - - name: create pip cache dir - run: mkdir -p "${HOME}/.cache/pip" - - run: | - echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV - if: matrix.IMAGE.FIPS - - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - run: '/venv/bin/nox -v --install-only' - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream - OPENSSL_ENABLE_SHA1_SIGNATURES: 1 - NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof" --x509-limbo-root="x509-limbo"' - env: - COLUMNS: 80 - # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream - OPENSSL_ENABLE_SHA1_SIGNATURES: 1 - NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - uses: ./.github/actions/upload-coverage - - macos: - runs-on: ${{ matrix.RUNNER.OS }} - strategy: - fail-fast: false - matrix: - RUNNER: - - {OS: 'macos-13', ARCH: 'x86_64'} - - {OS: 'macos-14', ARCH: 'arm64'} - PYTHON: - - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests"} - exclude: - # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - RUNNER: {OS: 'macos-14', ARCH: 'arm64'} - timeout-minutes: 15 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - - - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: rustup component add llvm-tools-preview - - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - repo: pyca/infra - workflow: build-macos-openssl.yml - branch: main - workflow_conclusion: success - name: openssl-macos-universal2 - path: "../openssl-macos-universal2/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Build nox environment - run: | - OPENSSL_DIR=$(readlink -f ../openssl-macos-universal2/) \ - OPENSSL_STATIC=1 \ - CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12" \ - nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - - - uses: ./.github/actions/upload-coverage - - windows: - runs-on: windows-latest - strategy: - fail-fast: false - matrix: - WINDOWS: - - {ARCH: 'x86', WINDOWS: 'win32'} - - {ARCH: 'x64', WINDOWS: 'win64'} - PYTHON: - - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests"} - timeout-minutes: 15 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - architecture: ${{ matrix.WINDOWS.ARCH }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: rustup component add llvm-tools-preview - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - repo: pyca/infra - workflow: build-windows-openssl.yml - branch: main - workflow_conclusion: success - name: "openssl-${{ matrix.WINDOWS.WINDOWS }}" - path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Configure - run: | - echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV - shell: bash - - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - - - name: Build nox environment - run: nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - - uses: ./.github/actions/upload-coverage - - linux-downstream: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - DOWNSTREAM: - - paramiko - - pyopenssl - - pyopenssl-release - - twisted - - aws-encryption-sdk - - dynamodb-encryption-sdk - - certbot - - certbot-josepy - - mitmproxy - - scapy - PYTHON: - - '3.12' - name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" - timeout-minutes: 15 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - - run: pip install . - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - # cryptography main has a version of "(X+1).0.0.dev1" where X is the - # most recently released major version. A package used by a downstream - # may depend on cryptography <=X. If you use entrypoints stuff, this can - # lead to runtime errors due to version incompatibilities. Rename the - # dist-info directory to pretend to be an older version to "solve" this. - - run: | - import json - import importlib.metadata - import shutil - import urllib.request - - d = importlib.metadata.distribution("cryptography") - with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r: - latest_version = json.load(r)["info"]["version"] - new_path = d.locate_file(f"cryptography-{latest_version}.dist-info") - shutil.move(d.locate_file(f"cryptography-{d.version}.dist-info"), new_path) - shell: python - - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run - - all-green: - # https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert - runs-on: ubuntu-latest - needs: [linux, distros, macos, windows, linux-downstream] - if: ${{ always() }} - timeout-minutes: 3 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 - with: - jobs: ${{ toJSON(needs) }} - - name: Setup python - if: ${{ always() }} - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: '3.12' - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: pip install -c ci-constraints-requirements.txt coverage[toml] - if: ${{ always() }} - - name: Download coverage data - if: ${{ always() }} - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - pattern: coverage-data-* - merge-multiple: true - - name: Combine coverage and fail if it's <100%. - if: ${{ always() }} - id: combinecoverage - run: | - set +e - python -m coverage combine - echo "## Python Coverage" >> $GITHUB_STEP_SUMMARY - python -m coverage report -m --fail-under=100 > COV_REPORT - COV_EXIT_CODE=$? - cat COV_REPORT - if [ $COV_EXIT_CODE -ne 0 ]; then - echo "🚨 Python Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY - fi - echo '```' >> $GITHUB_STEP_SUMMARY - cat COV_REPORT >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - exit $COV_EXIT_CODE - - name: Combine rust coverage and fail if it's <100%. - if: ${{ always() }} - id: combinerustcoverage - run: | - set +e - sudo apt-get install -y lcov - RUST_COVERAGE_OUTPUT=$(lcov $(for f in *.lcov; do echo --add-tracefile "$f"; done) -o combined.lcov | grep lines) - echo "## Rust Coverage" >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - echo $RUST_COVERAGE_OUTPUT >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - if ! echo "$RUST_COVERAGE_OUTPUT" | grep "100.0%"; then - echo "🚨 Rust Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY - exit 1 - fi - - name: Create rust coverage HTML - run: genhtml combined.lcov -o rust-coverage - if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} - - name: Create coverage HTML - run: python -m coverage html - if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - - name: Upload HTML report. - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: _html-report - path: htmlcov - if-no-files-found: ignore - if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - - name: Upload rust HTML report. - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: _html-rust-report - path: rust-coverage - if-no-files-found: ignore - if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml deleted file mode 100644 index 3fee6f366845..000000000000 --- a/.github/workflows/linkcheck.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: linkcheck -on: - pull_request: - paths: - - docs/conf.py - - .github/workflows/linkcheck.yml - schedule: - # Run once a week on Fridays - - cron: "0 0 * * FRI" - -permissions: - contents: read - -env: - CARGO_INCREMENTAL: 0 - -jobs: - docs-linkcheck: - runs-on: ubuntu-latest - name: "linkcheck" - timeout-minutes: 10 - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: 3.11 - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - # This creates the same key as the docs job (as long as they have the same - # python version) - key: 3.11-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt nox - - name: Build nox environment - run: | - nox -v --install-only -s docs-linkcheck - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: linkcheck - run: nox --no-install -s docs-linkcheck -- --color=yes diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml deleted file mode 100644 index f037c6555c4f..000000000000 --- a/.github/workflows/lock.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Lock Issues -on: - workflow_dispatch: - schedule: - - cron: '0 3 * * *' - -permissions: - issues: "write" - -jobs: - lock: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - issue-inactive-days: 90 - pr-inactive-days: 90 diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml deleted file mode 100644 index 7a01112d4c2d..000000000000 --- a/.github/workflows/pypi-publish.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: Publish to PyPI - -on: - workflow_dispatch: - inputs: - run_id: - description: The run of wheel-builder to use for finding artifacts. - required: true - environment: - description: Which PyPI environment to upload to - required: true - type: choice - options: ["testpypi", "pypi"] - workflow_run: - workflows: ["Wheel Builder"] - types: [completed] - -env: - PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt - -permissions: - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - # We're not actually verifying that the triggering push event was for a - # tag, because github doesn't expose enough information to do so. - # wheel-builder.yml currently only has push events for tags. - if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success') - permissions: - id-token: "write" - attestations: "write" - steps: - - run: echo "$EVENT_CONTEXT" - env: - EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: "3.11" - - name: Get publish-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - sparse-checkout: | - ${{ env.PUBLISH_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - persist-credentials: false - - name: Install Python dependencies - run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - path: dist/ - run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} - - - run: | - echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV - if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi') - - run: | - echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV - if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi' - - - run: | - import os - - import requests - - response = requests.get( - os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"], - params={"audience": os.environ["OIDC_AUDIENCE"]}, - headers={"Authorization": f"bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"} - ) - response.raise_for_status() - token = response.json()["value"] - - response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token}) - response.raise_for_status() - pypi_token = response.json()["token"] - - with open(os.environ["GITHUB_ENV"], "a") as f: - print(f"::add-mask::{pypi_token}") - f.write(f"TWINE_PASSWORD={pypi_token}\n") - shell: python - - - run: find dist/ -type f -name 'cryptography*' -print0 | xargs -0 twine upload --skip-existing - - # Do not perform attestation for things for TestPyPI. This is because - # there's nothing that would prevent a malicious PyPI from serving a - # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-path: 'dist/**/cryptography*' - if: env.TWINE_REPOSITORY == 'pypi' diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml deleted file mode 100644 index 8204c478a712..000000000000 --- a/.github/workflows/wheel-builder.yml +++ /dev/null @@ -1,345 +0,0 @@ -name: Wheel Builder -permissions: - contents: read -on: - workflow_dispatch: - inputs: - version: - description: The version to build - # Do not add any non-tag push events without updating pypi-publish.yml. If - # you do, it'll upload wheels to PyPI. - push: - tags: - - '*.*' - - '*.*.*' - pull_request: - paths: - - .github/workflows/wheel-builder.yml - - .github/requirements/** - - pyproject.toml - - vectors/pyproject.toml - -env: - BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt - -jobs: - sdist: - runs-on: ubuntu-latest - name: sdists - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - - - run: python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install -U pip build - - name: Make sdist (cryptography) - run: .venv/bin/python -m build --sdist - - name: Make sdist and wheel (vectors) - run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: "cryptography-sdist" - path: dist/cryptography* - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: "vectors-sdist-wheel" - path: vectors/dist/cryptography* - - manylinux: - needs: [sdist] - runs-on: ${{ matrix.MANYLINUX.RUNNER }} - container: - image: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} - volumes: - - /staticnodehost:/staticnodecontainer:rw,rshared - - /staticnodehost:/__e/node20:ro,rshared - strategy: - fail-fast: false - matrix: - PYTHON: - - { VERSION: "cp311-cp311", ABI_VERSION: 'py37' } - - { VERSION: "cp311-cp311", ABI_VERSION: 'py39' } - - { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: - - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - exclude: - # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - # We also don't build pypy wheels for anything except the latest manylinux - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" - steps: - - name: Ridiculous-er workaround for static node20 - run: | - cp -R /staticnode/* /staticnodecontainer/ - - name: Ridiculous alpine workaround for actions support on arm64 - run: | - # This modifies /etc/os-release so the JS actions - # from GH can't detect that it's on alpine:aarch64. It will - # then use a glibc nodejs, which works fine when gcompat - # is installed in the container (which it is) - sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release - if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - - - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: cryptography-sdist - - run: mkdir tmpwheelhouse - - name: Build the wheel - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - - # `maturin` has a binary that needs to be on the $PATH, so we - # activate the venv. - source .venv/bin/activate - OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ - OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ - mv dist/cryptography*.whl tmpwheelhouse - env: - RUSTUP_HOME: /root/.rustup - - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ - - run: unzip wheelhouse/*.whl -d execstack.check - - run: | - results=$(readelf -lW execstack.check/cryptography/hazmat/bindings/*.so) - count=$(echo "$results" | grep -c 'GNU_STACK.*[R ][W ]E' || true) - if [ "$count" -ne 0 ]; then - exit 1 - else - exit 0 - fi - - run: .venv/bin/pip install cryptography --no-index -f wheelhouse/ - - run: | - .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse/ - - macos: - needs: [sdist] - runs-on: macos-13 - strategy: - fail-fast: false - matrix: - PYTHON: - - VERSION: '3.11' - ABI_VERSION: 'py37' - # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # This archflags is default, but let's be explicit - ARCHFLAGS: '-arch x86_64 -arch arm64' - # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 - # This will change in the future as we change the base Python we - # build against - _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: '3.11' - ABI_VERSION: 'py39' - # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # This archflags is default, but let's be explicit - ARCHFLAGS: '-arch x86_64 -arch arm64' - # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 - # This will change in the future as we change the base Python we - # build against - _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: 'pypy-3.10' - BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - ARCHFLAGS: '-arch x86_64' - name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" - steps: - - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - name: Setup python - run: | - curl "$PYTHON_DOWNLOAD_URL" -o python.pkg - sudo installer -pkg python.pkg -target / - env: - PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} - if: contains(matrix.PYTHON.VERSION, 'pypy') == false - - name: Setup pypy - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - repo: pyca/infra - workflow: build-macos-openssl.yml - branch: main - workflow_conclusion: success - name: openssl-macos-universal2 - path: "../openssl-macos-universal2/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: stable - # Add the arm64 target in addition to the native arch (x86_64) - target: aarch64-apple-darwin - - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv - - name: Install Python dependencies - run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: cryptography-sdist - - run: mkdir wheelhouse - - name: Build the wheel - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - - # `maturin` has a binary that needs to be on the $PATH, so we - # activate the venv. - source venv/bin/activate - OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ - OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ - mv dist/cryptography*.whl wheelhouse - env: - MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} - ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} - _PYTHON_HOST_PLATFORM: ${{ matrix.PYTHON._PYTHON_HOST_PLATFORM }} - - run: venv/bin/pip install -f wheelhouse/ --no-index cryptography - - name: Show the wheel's minimum macOS SDK and architectures - run: | - find venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \; - - run: | - venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - run: | - echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" - path: cryptography-wheelhouse/ - - windows: - needs: [sdist] - runs-on: windows-latest - strategy: - fail-fast: false - matrix: - WINDOWS: - - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} - PYTHON: - - {VERSION: "3.11", "ABI_VERSION": "py37"} - - {VERSION: "3.11", "ABI_VERSION": "py39"} - - {VERSION: "pypy-3.10"} - exclude: - # We need to exclude the below configuration because there is no 32-bit pypy3 - - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - PYTHON: {VERSION: "pypy-3.10"} - name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" - steps: - - name: Get build-requirements.txt from repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: cryptography-sdist - - - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: stable - target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 - with: - repo: pyca/infra - workflow: build-windows-openssl.yml - branch: main - workflow_conclusion: success - name: "openssl-${{ matrix.WINDOWS.WINDOWS }}" - path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Configure OpenSSL - run: | - echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV - echo "OPENSSL_STATIC=1" >> $GITHUB_ENV - shell: bash - - name: Install Python dependencies - run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - run: mkdir wheelhouse - - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - - python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ - mv dist/cryptography*.whl wheelhouse/ - shell: bash - - run: pip install -f wheelhouse --no-index cryptography - - name: Print the OpenSSL we built and linked against - run: | - python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - - run: mkdir cryptography-wheelhouse - - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse\ diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml deleted file mode 100644 index b04510d674bb..000000000000 --- a/.github/workflows/x509-limbo-version-bump.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Bump x509-limbo and/or wycheproof -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - # Run daily - - cron: "0 0 * * *" - -jobs: - bump: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - id: check-sha-x509-limbo - run: | - SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) - LAST_COMMIT=$(grep x509-limbo-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## x509-limbo\n[Commit: ${SHA}](https://github.com/C2SP/x509-limbo/commit/${SHA})\n\n[Diff](https://github.com/C2SP/x509-limbo/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update x509-limbo - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the x509-limbo main branch.*/Latest commit on the x509-limbo main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml - git status - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA - - id: check-sha-wycheproof - run: | - SHA=$(git ls-remote https://github.com/C2SP/wycheproof refs/heads/master | cut -f1) - LAST_COMMIT=$(grep wycheproof-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/C2SP/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/C2SP/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update wycheproof - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the wycheproof master branch.*/Latest commit on the wycheproof master branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml - git status - if: steps.check-sha-wycheproof.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.BORINGBOT_APP_ID }} - private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 - with: - branch: "bump-vectors" - commit-message: "Bump x509-limbo and/or wycheproof in CI" - title: "Bump x509-limbo and/or wycheproof in CI" - author: "pyca-boringbot[bot] " - body: | - ${{ steps.check-sha-x509-limbo.outputs.COMMIT_MSG }} - ${{ steps.check-sha-wycheproof.outputs.COMMIT_MSG }} - token: ${{ steps.generate-token.outputs.token }} - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA diff --git a/.gitignore b/.gitignore index 1d4ebfbc597a..a4e3132297ba 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ target/ .rust-cov/ *.lcov *.profdata +.venv diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8d7e4703ad90..487de47fb854 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -153,6 +153,9 @@ urllib3==2.2.2 virtualenv==20.26.3 # via nox +pytest-codspeed==2.2.1 + # via cryptography (pyproject.toml) + # The following packages are considered to be unsafe in a requirements file: # cffi # pycparser diff --git a/pyproject.toml b/pyproject.toml index 02689e0a55f3..9cd1b4480ef2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -68,6 +68,7 @@ test = [ "cryptography_vectors", "pytest >=6.2.0", "pytest-benchmark", + "pytest-codspeed", "pytest-cov", "pytest-xdist", "pretend",