diff --git a/.github/workflows/auto-close-stale.yml b/.github/workflows/auto-close-stale.yml deleted file mode 100644 index de269c8aceac..000000000000 --- a/.github/workflows/auto-close-stale.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Auto-close stale issues -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * *' - -permissions: - issues: "write" - pull-requests: "write" - -jobs: - auto-close: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - only-labels: waiting-on-reporter - days-before-stale: 3 - days-before-close: 5 - stale-issue-message: "This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days." - close-issue-message: "This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it." - close-issue-reason: completed diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index b731d9188e1c..0a9d02ec5fed 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -1,23 +1,18 @@ name: Benchmark on: + push: + branches: + - main pull_request: paths: - '.github/workflows/benchmark.yml' - 'src/**' - 'tests/**' workflow_dispatch: - inputs: - base_commit: - description: The base commit to compare against - permissions: contents: read -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - env: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse @@ -28,38 +23,23 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 - with: - persist-credentials: false - path: "cryptography-pr" - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - repository: "pyca/cryptography" - path: "cryptography-base" - ref: "${{ github.event.inputs.base_commit || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 - uses: ./cryptography-base/.github/actions/fetch-vectors + uses: ./.github/actions/fetch-vectors - name: Setup python id: setup-python uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: - python-version: "3.11" + python-version: "3.12" - - name: Create virtualenv (base) - run: | - python -m venv .venv-base - .venv-base/bin/pip install -v -c ./cryptography-base/ci-constraints-requirements.txt "./cryptography-base[test]" ./cryptography-base/vectors/ - - name: Create virtualenv (PR) + - name: Create virtualenv run: | - python -m venv .venv-pr - .venv-pr/bin/pip install -v -c ./cryptography-pr/ci-constraints-requirements.txt "./cryptography-pr[test]" ./cryptography-pr/vectors/ + python -m venv .venv + .venv/bin/pip install -v -c ./ci-constraints-requirements.txt "./[test]" ./vectors/ - - name: Run benchmarks (base) - run: .venv-base/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-base.json --x509-limbo-root=x509-limbo/ - - name: Run benchmarks (PR) - run: .venv-pr/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-pr.json --x509-limbo-root=x509-limbo/ - - - name: Compare results - run: python ./cryptography-pr/.github/compare_benchmarks.py bench-base.json bench-pr.json | tee -a $GITHUB_STEP_SUMMARY + - name: Run benchmarks + uses: CodSpeedHQ/action@v2 + with: + token: ${{ secrets.CODSPEED_TOKEN }} + run: .venv/bin/pytest --codspeed --benchmark-enable --benchmark-only ./tests/bench/ --benchmark-json=bench-pr.json --x509-limbo-root=x509-limbo/ diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml deleted file mode 100644 index 50e3a35a8ab8..000000000000 --- a/.github/workflows/boring-open-version-bump.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Bump BoringSSL and/or OpenSSL -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - # Run daily - - cron: "0 0 * * *" - -jobs: - bump: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - id: check-sha-boring - run: | - SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) - LAST_COMMIT=$(grep boringssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/workflows/ci.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## BoringSSL\n[Commit: ${SHA}](https://boringssl.googlesource.com/boringssl/+/${SHA})\n\n[Diff](https://boringssl.googlesource.com/boringssl/+/${LAST_COMMIT}..${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - - fi - - id: check-sha-openssl - run: | - SHA=$(git ls-remote https://github.com/openssl/openssl refs/heads/master | cut -f1) - LAST_COMMIT=$(grep openssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/workflows/ci.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## OpenSSL\n[Commit: ${SHA}](https://github.com/openssl/openssl/commit/${SHA})\n\n[Diff](https://github.com/openssl/openssl/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update boring - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the BoringSSL master branch.*/Latest commit on the BoringSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"boringssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"boringssl\", VERSION: \"${{ steps.check-sha-boring.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml - git status - if: steps.check-sha-boring.outputs.COMMIT_SHA - - name: Update OpenSSL - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the OpenSSL master branch.*/Latest commit on the OpenSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml - sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml - git status - if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.BORINGBOT_APP_ID }} - private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} - if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 - with: - branch: "bump-openssl-boringssl" - commit-message: "Bump BoringSSL and/or OpenSSL in CI" - title: "Bump BoringSSL and/or OpenSSL in CI" - author: "pyca-boringbot[bot] " - body: | - ${{ steps.check-sha-boring.outputs.COMMIT_MSG }} - ${{ steps.check-sha-openssl.outputs.COMMIT_MSG }} - token: ${{ steps.generate-token.outputs.token }} - if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh deleted file mode 100755 index abdd09cf3e55..000000000000 --- a/.github/workflows/build_openssl.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/bash -set -e -set -x - -shlib_sed() { - # modify the shlib version to a unique one to make sure the dynamic - # linker doesn't load the system one. - sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile - sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile - sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile -} -shlib_sed_3() { - # OpenSSL 3 changes how it does the shlib versioning - sed -i "s/^SHLIB_VERSION=.*/SHLIB_VERSION=100/" VERSION.dat -} - -if [[ "${TYPE}" == "openssl" ]]; then - if [[ "${VERSION}" =~ ^[0-9a-f]{40}$ ]]; then - git clone https://github.com/openssl/openssl - pushd openssl - git checkout "${VERSION}" - else - curl -O "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" - tar zxf "openssl-${VERSION}.tar.gz" - pushd "openssl-${VERSION}" - fi - # For OpenSSL 3 we need to call this before config - if [[ "${VERSION}" =~ ^3. ]] || [[ "${VERSION}" =~ ^[0-9a-f]{40}$ ]]; then - shlib_sed_3 - fi - - # CONFIG_FLAGS is a global coming from a previous step - ./config ${CONFIG_FLAGS} -fPIC --prefix="${OSSL_PATH}" - - # For OpenSSL 1 we need to call this after config - if [[ "${VERSION}" =~ ^1. ]]; then - shlib_sed - fi - make depend - make -j"$(nproc)" - # avoid installing the docs (for performance) - # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728 - make install_sw install_ssldirs - # delete binaries we don't need - rm -rf "${OSSL_PATH}/bin" - # For OpenSSL 3.0.0 set up the FIPS config. This does not activate it by - # default, but allows programmatic activation at runtime - if [[ "${VERSION}" =~ ^3. && "${CONFIG_FLAGS}" =~ enable-fips ]]; then - # As of alpha16 we have to install it separately and enable it in the config flags - make -j"$(nproc)" install_fips - pushd "${OSSL_PATH}" - # include the conf file generated as part of install_fips - sed -i "s:# .include fipsmodule.cnf:.include $(pwd)/ssl/fipsmodule.cnf:" ssl/openssl.cnf - # uncomment the FIPS section - sed -i 's:# fips = fips_sect:fips = fips_sect:' ssl/openssl.cnf - popd - fi - popd -elif [[ "${TYPE}" == "libressl" ]]; then - curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" - tar zxf "libressl-${VERSION}.tar.gz" - pushd "libressl-${VERSION}" - cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" install - # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly - rm -rf "${OSSL_PATH}/bin" - rm -rf "${OSSL_PATH}/share" - rm -rf "${OSSL_PATH}/lib/libtls*" - popd -elif [[ "${TYPE}" == "boringssl" ]]; then - git clone https://boringssl.googlesource.com/boringssl - pushd boringssl - git checkout "${VERSION}" - cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" install - # delete binaries we don't need - rm -rf "${OSSL_PATH}/bin" - popd - rm -rf boringssl/ -fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 183194242c82..000000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,490 +0,0 @@ -name: CI -on: - pull_request: {} - push: - branches: - - main - - '*.*.x' - tags: - - '*.*' - - '*.*.*' - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - -env: - CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse - CARGO_INCREMENTAL: 0 - -jobs: - linux: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - PYTHON: - - {VERSION: "3.12", NOXSESSION: "flake"} - - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f374e1af18c25700923985f6613417847e8f6ab1"}} - # Latest commit on the OpenSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e1fd043ad7fa865a8ef9160c892b49a098d23c71"}} - # Builds with various Rust versions. Includes MSRV and next - # potential future MSRV. - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} - timeout-minutes: 15 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - name: Setup rust - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: ${{ matrix.PYTHON.RUST }} - components: rustfmt,clippy - if: matrix.PYTHON.RUST - - - run: rustup component add llvm-tools-preview - if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' - - name: Compute config hash and set config vars - run: | - DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" - CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS" - OPENSSL_HASH=$(echo "${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//') - echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV - echo "OPENSSL_HASH=${OPENSSL_HASH}" >> $GITHUB_ENV - echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV - echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${OPENSSL_HASH}" >> $GITHUB_ENV - env: - CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} - if: matrix.PYTHON.OPENSSL - - name: Load OpenSSL cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: ossl-cache - timeout-minutes: 2 - with: - path: ${{ github.workspace }}/osslcache - # When altering the openssl build process you may need to increment - # the value on the end of this cache key so that you can prevent it - # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-12 - if: matrix.PYTHON.OPENSSL - - name: Build custom OpenSSL/LibreSSL - run: .github/workflows/build_openssl.sh - env: - TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }} - VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }} - if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true' - - name: Set CFLAGS/LDFLAGS - run: | - echo "OPENSSL_DIR=${OSSL_PATH}" >> $GITHUB_ENV - echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV - echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV - if: matrix.PYTHON.OPENSSL - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - # We have both the Python version from the matrix and from the - # setup-python step because the latter doesn't distinguish - # pypy3-3.8 and pypy3-3.9 -- both of them show up as 7.3.11. - key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }} - - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - name: Create nox environment - run: | - nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: | - nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo ${{ matrix.PYTHON.NOXARGS }} - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - CRYPTOGRAPHY_OPENSSL_NO_LEGACY: ${{ matrix.PYTHON.OPENSSL.NO_LEGACY }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - - uses: ./.github/actions/upload-coverage - - distros: - runs-on: ${{ matrix.IMAGE.RUNNER }} - container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }} - strategy: - fail-fast: false - matrix: - IMAGE: - - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "buster", NOXSESSION: "tests-nocoverage", RUNNER: "ubuntu-latest"} - - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-focal", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-jammy", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-noble", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "ubuntu-rolling", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "fedora", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "centos-stream9", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - - {IMAGE: "ubuntu-jammy:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - timeout-minutes: 15 - env: - RUSTUP_HOME: /root/.rustup - steps: - - name: Ridiculous alpine workaround for actions support on arm64 - run: | - # This modifies /etc/os-release so the JS actions - # from GH can't detect that it's on alpine:aarch64. It will - # then use a glibc nodejs, which works fine when gcompat - # is installed in the container (which it is) - sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release - if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.IMAGE.IMAGE }} - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - # When run in a docker container the home directory doesn't have the same owner as the - # apparent user so pip refuses to create a cache dir - - name: create pip cache dir - run: mkdir -p "${HOME}/.cache/pip" - - run: | - echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV - if: matrix.IMAGE.FIPS - - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - run: '/venv/bin/nox -v --install-only' - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream - OPENSSL_ENABLE_SHA1_SIGNATURES: 1 - NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof" --x509-limbo-root="x509-limbo"' - env: - COLUMNS: 80 - # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream - OPENSSL_ENABLE_SHA1_SIGNATURES: 1 - NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - uses: ./.github/actions/upload-coverage - - macos: - runs-on: ${{ matrix.RUNNER.OS }} - strategy: - fail-fast: false - matrix: - RUNNER: - - {OS: 'macos-13', ARCH: 'x86_64'} - - {OS: 'macos-14', ARCH: 'arm64'} - PYTHON: - - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests"} - exclude: - # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - RUNNER: {OS: 'macos-14', ARCH: 'arm64'} - timeout-minutes: 15 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - - - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: rustup component add llvm-tools-preview - - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - repo: pyca/infra - workflow: build-macos-openssl.yml - branch: main - workflow_conclusion: success - name: openssl-macos-universal2 - path: "../openssl-macos-universal2/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Build nox environment - run: | - OPENSSL_DIR=$(readlink -f ../openssl-macos-universal2/) \ - OPENSSL_STATIC=1 \ - CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12" \ - nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - - - uses: ./.github/actions/upload-coverage - - windows: - runs-on: windows-latest - strategy: - fail-fast: false - matrix: - WINDOWS: - - {ARCH: 'x86', WINDOWS: 'win32'} - - {ARCH: 'x64', WINDOWS: 'win64'} - PYTHON: - - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests"} - timeout-minutes: 15 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - architecture: ${{ matrix.WINDOWS.ARCH }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: rustup component add llvm-tools-preview - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - repo: pyca/infra - workflow: build-windows-openssl.yml - branch: main - workflow_conclusion: success - name: "openssl-${{ matrix.WINDOWS.WINDOWS }}" - path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Configure - run: | - echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV - shell: bash - - - name: Clone test vectors - timeout-minutes: 2 - uses: ./.github/actions/fetch-vectors - - - name: Build nox environment - run: nox -v --install-only - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo - env: - NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} - COLUMNS: 80 - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - - uses: ./.github/actions/upload-coverage - - linux-downstream: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - DOWNSTREAM: - - paramiko - - pyopenssl - - pyopenssl-release - - twisted - - aws-encryption-sdk - - dynamodb-encryption-sdk - - certbot - - certbot-josepy - - mitmproxy - - scapy - PYTHON: - - '3.12' - name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" - timeout-minutes: 15 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON }} - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - - run: pip install . - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - # cryptography main has a version of "(X+1).0.0.dev1" where X is the - # most recently released major version. A package used by a downstream - # may depend on cryptography <=X. If you use entrypoints stuff, this can - # lead to runtime errors due to version incompatibilities. Rename the - # dist-info directory to pretend to be an older version to "solve" this. - - run: | - import json - import importlib.metadata - import shutil - import urllib.request - - d = importlib.metadata.distribution("cryptography") - with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r: - latest_version = json.load(r)["info"]["version"] - new_path = d.locate_file(f"cryptography-{latest_version}.dist-info") - shutil.move(d.locate_file(f"cryptography-{d.version}.dist-info"), new_path) - shell: python - - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run - - all-green: - # https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert - runs-on: ubuntu-latest - needs: [linux, distros, macos, windows, linux-downstream] - if: ${{ always() }} - timeout-minutes: 3 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - timeout-minutes: 3 - with: - persist-credentials: false - - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 - with: - jobs: ${{ toJSON(needs) }} - - name: Setup python - if: ${{ always() }} - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: '3.12' - cache: pip - cache-dependency-path: ci-constraints-requirements.txt - timeout-minutes: 3 - - run: pip install -c ci-constraints-requirements.txt coverage[toml] - if: ${{ always() }} - - name: Download coverage data - if: ${{ always() }} - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - pattern: coverage-data-* - merge-multiple: true - - name: Combine coverage and fail if it's <100%. - if: ${{ always() }} - id: combinecoverage - run: | - set +e - python -m coverage combine - echo "## Python Coverage" >> $GITHUB_STEP_SUMMARY - python -m coverage report -m --fail-under=100 > COV_REPORT - COV_EXIT_CODE=$? - cat COV_REPORT - if [ $COV_EXIT_CODE -ne 0 ]; then - echo "🚨 Python Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY - fi - echo '```' >> $GITHUB_STEP_SUMMARY - cat COV_REPORT >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - exit $COV_EXIT_CODE - - name: Combine rust coverage and fail if it's <100%. - if: ${{ always() }} - id: combinerustcoverage - run: | - set +e - sudo apt-get install -y lcov - RUST_COVERAGE_OUTPUT=$(lcov $(for f in *.lcov; do echo --add-tracefile "$f"; done) -o combined.lcov | grep lines) - echo "## Rust Coverage" >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - echo $RUST_COVERAGE_OUTPUT >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - if ! echo "$RUST_COVERAGE_OUTPUT" | grep "100.0%"; then - echo "🚨 Rust Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY - exit 1 - fi - - name: Create rust coverage HTML - run: genhtml combined.lcov -o rust-coverage - if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} - - name: Create coverage HTML - run: python -m coverage html - if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - - name: Upload HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 - with: - name: _html-report - path: htmlcov - if-no-files-found: ignore - if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - - name: Upload rust HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 - with: - name: _html-rust-report - path: rust-coverage - if-no-files-found: ignore - if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml deleted file mode 100644 index b06da096537f..000000000000 --- a/.github/workflows/linkcheck.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: linkcheck -on: - pull_request: - paths: - - docs/conf.py - - .github/workflows/linkcheck.yml - schedule: - # Run once a week on Fridays - - cron: "0 0 * * FRI" - -permissions: - contents: read - -env: - CARGO_INCREMENTAL: 0 - -jobs: - docs-linkcheck: - runs-on: ubuntu-latest - name: "linkcheck" - timeout-minutes: 10 - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Setup python - id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: 3.11 - - name: Cache rust and pip - uses: ./.github/actions/cache - timeout-minutes: 2 - with: - # This creates the same key as the docs job (as long as they have the same - # python version) - key: 3.11-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt nox - - name: Build nox environment - run: | - nox -v --install-only -s docs-linkcheck - env: - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - - name: linkcheck - run: nox --no-install -s docs-linkcheck -- --color=yes diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml deleted file mode 100644 index f037c6555c4f..000000000000 --- a/.github/workflows/lock.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Lock Issues -on: - workflow_dispatch: - schedule: - - cron: '0 3 * * *' - -permissions: - issues: "write" - -jobs: - lock: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - issue-inactive-days: 90 - pr-inactive-days: 90 diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml deleted file mode 100644 index 90e3ad79608f..000000000000 --- a/.github/workflows/pypi-publish.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: Publish to PyPI - -on: - workflow_dispatch: - inputs: - run_id: - description: The run of wheel-builder to use for finding artifacts. - required: true - environment: - description: Which PyPI environment to upload to - required: true - type: choice - options: ["testpypi", "pypi"] - workflow_run: - workflows: ["Wheel Builder"] - types: [completed] - -env: - PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt - -permissions: - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - # We're not actually verifying that the triggering push event was for a - # tag, because github doesn't expose enough information to do so. - # wheel-builder.yml currently only has push events for tags. - if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success') - permissions: - id-token: "write" - steps: - - run: echo "$EVENT_CONTEXT" - env: - EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: "3.11" - - name: Get publish-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - sparse-checkout: | - ${{ env.PUBLISH_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - persist-credentials: false - - name: Install Python dependencies - run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - path: dist/ - run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} - - - run: | - echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV - if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi') - - run: | - echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV - echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV - echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV - echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV - if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi' - - - run: | - import os - - import requests - - response = requests.get( - os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"], - params={"audience": os.environ["OIDC_AUDIENCE"]}, - headers={"Authorization": f"bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"} - ) - response.raise_for_status() - token = response.json()["value"] - - response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token}) - response.raise_for_status() - pypi_token = response.json()["token"] - - with open(os.environ["GITHUB_ENV"], "a") as f: - print(f"::add-mask::{pypi_token}") - f.write(f"TWINE_PASSWORD={pypi_token}\n") - shell: python - - - run: twine upload --skip-existing $(find dist/ -type f -name 'cryptography*') - - # Do not perform sigstore signatures for things for TestPyPI. This is - # because there's nothing that would prevent a malicious PyPI from - # serving a signed TestPyPI asset in place of a release intended for - # PyPI. - - run: sigstore sign $(find dist/ -type f -name 'cryptography*') - if: env.TWINE_REPOSITORY == 'pypi' diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml deleted file mode 100644 index 18579f6c60fc..000000000000 --- a/.github/workflows/wheel-builder.yml +++ /dev/null @@ -1,366 +0,0 @@ -name: Wheel Builder -permissions: - contents: read -on: - workflow_dispatch: - inputs: - version: - description: The version to build - # Do not add any non-tag push events without updating pypi-publish.yml. If - # you do, it'll upload wheels to PyPI. - push: - tags: - - '*.*' - - '*.*.*' - pull_request: - paths: - - .github/workflows/wheel-builder.yml - - .github/requirements/** - - pyproject.toml - - vectors/pyproject.toml - -env: - BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt - -jobs: - sdist: - runs-on: ubuntu-latest - name: sdists - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - - - run: python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install -U pip build - - name: Make sdist (cryptography) - run: .venv/bin/python -m build --sdist - - name: Make sdist and wheel (vectors) - run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "cryptography-sdist" - path: dist/cryptography* - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "vectors-sdist-wheel" - path: vectors/dist/cryptography* - - manylinux: - needs: [sdist] - runs-on: ${{ matrix.MANYLINUX.RUNNER }} - container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} - strategy: - fail-fast: false - matrix: - PYTHON: - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp37' } - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp39' } - - { VERSION: "pp39-pypy39_pp73" } - - { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: - - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - exclude: - # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - # We also don't build pypy wheels for anything except the latest manylinux - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" - steps: - - name: Ridiculous alpine workaround for actions support on arm64 - run: | - # This modifies /etc/os-release so the JS actions - # from GH can't detect that it's on alpine:aarch64. It will - # then use a glibc nodejs, which works fine when gcompat - # is installed in the container (which it is) - sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release - if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - - - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv - - name: Install Python dependencies - run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: cryptography-sdist - - run: mkdir tmpwheelhouse - - name: Build the wheel - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ - OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse - env: - RUSTUP_HOME: /root/.rustup - - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ - - run: unzip wheelhouse/*.whl -d execstack.check - - run: | - results=$(readelf -lW execstack.check/cryptography/hazmat/bindings/*.so) - count=$(echo "$results" | grep -c 'GNU_STACK.*[R ][W ]E' || true) - if [ "$count" -ne 0 ]; then - exit 1 - else - exit 0 - fi - - run: .venv/bin/pip install cryptography --no-index -f wheelhouse/ - - run: | - .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse/ - - macos: - needs: [sdist] - runs-on: macos-13 - strategy: - fail-fast: false - matrix: - PYTHON: - - VERSION: '3.11' - ABI_VERSION: 'cp37' - # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # This archflags is default, but let's be explicit - ARCHFLAGS: '-arch x86_64 -arch arm64' - # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 - # This will change in the future as we change the base Python we - # build against - _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: '3.11' - ABI_VERSION: 'cp39' - # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # This archflags is default, but let's be explicit - ARCHFLAGS: '-arch x86_64 -arch arm64' - # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 - # This will change in the future as we change the base Python we - # build against - _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: '3.11' - ABI_VERSION: 'cp37' - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # We continue to build a non-universal2 for a bit to see metrics on - # download counts (this is a proxy for pip version since universal2 - # requires a 21.x pip) - ARCHFLAGS: '-arch x86_64' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - - VERSION: 'pypy-3.9' - BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - ARCHFLAGS: '-arch x86_64' - - VERSION: 'pypy-3.10' - BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - ARCHFLAGS: '-arch x86_64' - name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" - steps: - - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - name: Setup python - run: | - curl "$PYTHON_DOWNLOAD_URL" -o python.pkg - sudo installer -pkg python.pkg -target / - env: - PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} - if: contains(matrix.PYTHON.VERSION, 'pypy') == false - - name: Setup pypy - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - repo: pyca/infra - workflow: build-macos-openssl.yml - branch: main - workflow_conclusion: success - name: openssl-macos-universal2 - path: "../openssl-macos-universal2/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: stable - # Add the arm64 target in addition to the native arch (x86_64) - target: aarch64-apple-darwin - - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv - - name: Install Python dependencies - run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: cryptography-sdist - - run: mkdir wheelhouse - - name: Build the wheel - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - - OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ - OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse - env: - MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} - ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} - _PYTHON_HOST_PLATFORM: ${{ matrix.PYTHON._PYTHON_HOST_PLATFORM }} - - run: venv/bin/pip install -f wheelhouse/ --no-index cryptography - - name: Show the wheel's minimum macOS SDK and architectures - run: | - find venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \; - - run: | - venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - - run: mkdir cryptography-wheelhouse - - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - run: | - echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" - path: cryptography-wheelhouse/ - - windows: - needs: [sdist] - runs-on: windows-latest - strategy: - fail-fast: false - matrix: - WINDOWS: - - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} - PYTHON: - - {VERSION: "3.11", "ABI_VERSION": "cp37"} - - {VERSION: "3.11", "ABI_VERSION": "cp39"} - - {VERSION: "pypy-3.9"} - - {VERSION: "pypy-3.10"} - exclude: - # We need to exclude the below configuration because there is no 32-bit pypy3 - - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - PYTHON: {VERSION: "pypy-3.9"} - - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - PYTHON: {VERSION: "pypy-3.10"} - name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" - steps: - - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # The tag to build or the tag received by the tag event - ref: ${{ github.event.inputs.version || github.ref }} - persist-credentials: false - sparse-checkout: | - ${{ env.BUILD_REQUIREMENTS_PATH }} - sparse-checkout-cone-mode: false - - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: cryptography-sdist - - - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 - with: - python-version: ${{ matrix.PYTHON.VERSION }} - architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 - with: - toolchain: stable - target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - repo: pyca/infra - workflow: build-windows-openssl.yml - branch: main - workflow_conclusion: success - name: "openssl-${{ matrix.WINDOWS.WINDOWS }}" - path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Configure OpenSSL - run: | - echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV - echo "OPENSSL_STATIC=1" >> $GITHUB_ENV - shell: bash - - name: Install Python dependencies - run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - run: mkdir wheelhouse - - run: | - if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" - fi - - python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ - shell: bash - - run: pip install -f wheelhouse --no-index cryptography - - name: Print the OpenSSL we built and linked against - run: | - python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - - run: mkdir cryptography-wheelhouse - - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" - path: cryptography-wheelhouse\ diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml deleted file mode 100644 index a3e3ff51f608..000000000000 --- a/.github/workflows/x509-limbo-version-bump.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Bump x509-limbo and/or wycheproof -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - # Run daily - - cron: "0 0 * * *" - -jobs: - bump: - if: github.repository_owner == 'pyca' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - id: check-sha-x509-limbo - run: | - SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) - LAST_COMMIT=$(grep x509-limbo-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## x509-limbo\n[Commit: ${SHA}](https://github.com/C2SP/x509-limbo/commit/${SHA})\n\n[Diff](https://github.com/C2SP/x509-limbo/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update x509-limbo - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the x509-limbo main branch.*/Latest commit on the x509-limbo main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml - git status - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA - - id: check-sha-wycheproof - run: | - SHA=$(git ls-remote https://github.com/C2SP/wycheproof refs/heads/master | cut -f1) - LAST_COMMIT=$(grep wycheproof-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') - if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then - echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT - echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/C2SP/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/C2SP/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - fi - - name: Update wycheproof - run: | - set -xe - CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the wycheproof master branch.*/Latest commit on the wycheproof master branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml - sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml - git status - if: steps.check-sha-wycheproof.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.BORINGBOT_APP_ID }} - private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 - with: - branch: "bump-vectors" - commit-message: "Bump x509-limbo and/or wycheproof in CI" - title: "Bump x509-limbo and/or wycheproof in CI" - author: "pyca-boringbot[bot] " - body: | - ${{ steps.check-sha-x509-limbo.outputs.COMMIT_MSG }} - ${{ steps.check-sha-wycheproof.outputs.COMMIT_MSG }} - token: ${{ steps.generate-token.outputs.token }} - if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA diff --git a/.gitignore b/.gitignore index 1d4ebfbc597a..a4e3132297ba 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ target/ .rust-cov/ *.lcov *.profdata +.venv diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 546d05971bd8..ef0f95a0add0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.3.0; python_version >= "3.8" +argcomplete==3.3.0 # via nox babel==2.14.0 # via sphinx @@ -16,7 +16,9 @@ build==1.2.1 # check-sdist # cryptography (pyproject.toml) certifi==2024.2.2 - # via requests + # via + # cryptography (pyproject.toml) + # requests charset-normalizer==3.3.2 # via requests check-sdist==0.1.3 @@ -25,10 +27,8 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.4; python_version >= "3.8" - # via - # coverage - # pytest-cov +coverage==7.4.4 + # via pytest-cover distlib==0.3.8 # via virtualenv docutils==0.20.1 @@ -36,12 +36,12 @@ docutils==0.20.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.0 - # via pytest -execnet==2.1.1; python_version >= "3.8" +execnet==2.1.1 # via pytest-xdist -filelock==3.13.4; python_version >= "3.8" - # via virtualenv +filelock==3.13.4 + # via + # pytest-codspeed + # virtualenv idna==3.7 # via requests imagesize==1.4.1 @@ -68,9 +68,9 @@ packaging==24.0 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.2.0; python_version >= "3.8" +platformdirs==4.2.0 # via virtualenv -pluggy==1.4.0; python_version >= "3.8" +pluggy==1.4.0 # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) @@ -86,16 +86,19 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.1.1; python_version >= "3.8" +pytest==8.1.1 # via # cryptography (pyproject.toml) # pytest-benchmark + # pytest-codspeed # pytest-cov # pytest-randomly # pytest-xdist pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) -pytest-cov==5.0.0; python_version >= "3.8" +pytest-codspeed==2.2.1 + # via cryptography (pyproject.toml) +pytest-cov==5.0.0 # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) @@ -113,12 +116,7 @@ sphinx==7.3.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme - # sphinxcontrib-applehelp - # sphinxcontrib-devhelp - # sphinxcontrib-htmlhelp # sphinxcontrib-jquery - # sphinxcontrib-qthelp - # sphinxcontrib-serializinghtml # sphinxcontrib-spelling sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) @@ -138,15 +136,7 @@ sphinxcontrib-serializinghtml==1.1.10 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) -tomli==2.0.1 - # via - # build - # check-manifest - # coverage - # mypy - # pyproject-hooks - # pytest -typing-extensions==4.11.0; python_version >= "3.8" +typing-extensions==4.11.0 # via mypy urllib3==2.2.1 # via requests @@ -156,3 +146,4 @@ virtualenv==20.25.3 # The following packages are considered to be unsafe in a requirements file: # cffi # pycparser +# setuptools diff --git a/pyproject.toml b/pyproject.toml index 64e33aac8aca..72c9c343e50c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -74,6 +74,7 @@ test = [ "cryptography_vectors", "pytest >=6.2.0", "pytest-benchmark", + "pytest-codspeed", "pytest-cov", "pytest-xdist", "pretend",