rustls #120
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: rustls | |
permissions: | |
contents: read | |
on: | |
push: | |
pull_request: | |
merge_group: | |
schedule: | |
- cron: '0 18 * * *' | |
jobs: | |
build: | |
name: Build+test | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
rust: | |
- stable | |
- beta | |
- nightly | |
os: | |
- ubuntu-latest | |
- windows-latest | |
- macos-latest | |
exclude: | |
# only stable on macos/windows (slower platforms) | |
- os: windows-latest | |
rust: beta | |
- os: windows-latest | |
rust: nightly | |
- os: macos-latest | |
rust: beta | |
- os: macos-latest | |
rust: nightly | |
# and never use macos/windows for merge checks | |
- os: ${{ github.event_name == 'merge_group' && 'windows-latest' }} | |
- os: ${{ github.event_name == 'merge_group' && 'macos-latest' }} | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install ${{ matrix.rust }} toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Install NASM for aws-lc-rs on Windows | |
if: runner.os == 'Windows' | |
uses: ilammy/setup-nasm@v1 | |
- name: Install ninja-build tool for aws-lc-fips-sys on Windows | |
if: runner.os == 'Windows' | |
uses: seanmiddleditch/gha-setup-ninja@v5 | |
- name: Install golang for aws-lc-fips-sys on macos | |
if: runner.os == 'MacOS' | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.22.2" | |
- name: cargo build (debug; default features) | |
run: cargo build --locked | |
# nb. feature sets that include "fips" should be --release -- | |
# this is required for fips on windows. | |
# nb. "--all-targets" does not include doctests | |
- name: cargo test (release; all features) | |
run: cargo test --release --locked --all-features --all-targets | |
env: | |
RUST_BACKTRACE: 1 | |
# nb. this is separate so it can be skipped on macOS & windows, where | |
# doctests don't work: https://github.com/rust-lang/cargo/issues/8531 | |
- name: cargo test --doc (release; all-features) | |
if: ${{ runner.os != 'macOS' && runner.os != 'Windows' }} | |
run: cargo test --release --locked --all-features --doc | |
env: | |
RUST_BACKTRACE: 1 | |
- name: cargo test (debug; aws-lc-rs) | |
run: cargo test --no-default-features --features aws_lc_rs,tls12,read_buf,logging,std --all-targets | |
env: | |
RUST_BACKTRACE: 1 | |
- name: cargo test (release; fips) | |
run: cargo test --release --no-default-features --features fips,tls12,read_buf,logging,std --all-targets | |
env: | |
RUST_BACKTRACE: 1 | |
- name: cargo build (debug; rustls-provider-example) | |
run: cargo build --locked -p rustls-provider-example | |
- name: cargo build (debug; rustls-provider-example lib in no-std mode) | |
run: cargo build --locked -p rustls-provider-example --no-default-features | |
- name: cargo build (debug; rustls-provider-test) | |
run: cargo build --locked -p rustls-provider-test | |
msrv: | |
name: MSRV | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: "1.63" | |
# zlib-rs is optional and requires a later MSRV | |
- run: cargo check --locked --lib $(admin/all-features-except zlib rustls) -p rustls | |
- uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: "1.75" | |
- run: cargo check --locked --lib --all-features -p rustls | |
features: | |
name: Features | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install stable toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
target: x86_64-unknown-none | |
- name: cargo build (debug; default features) | |
run: cargo build --locked | |
working-directory: rustls | |
# this target does _not_ include the libstd crate in its sysroot | |
# it will catch unwanted usage of libstd in _dependencies_ | |
- name: cargo build (debug; no default features; no-std) | |
run: cargo build --locked --no-default-features --target x86_64-unknown-none | |
working-directory: rustls | |
- name: cargo build (debug; no default features; no-std, hashbrown) | |
run: cargo build --locked --no-default-features --features hashbrown --target x86_64-unknown-none | |
working-directory: rustls | |
- name: cargo test (debug; default features) | |
run: cargo test --locked | |
working-directory: rustls | |
env: | |
RUST_BACKTRACE: 1 | |
- name: cargo test (debug; no default features) | |
run: cargo test --locked --no-default-features | |
working-directory: rustls | |
- name: cargo test (debug; no default features; tls12) | |
run: cargo test --locked --no-default-features --features tls12,std | |
working-directory: rustls | |
- name: cargo test (debug; no default features; aws-lc-rs,tls12) | |
run: cargo test --no-default-features --features aws_lc_rs,tls12,std | |
working-directory: rustls | |
- name: cargo test (debug; no default features; fips,tls12) | |
run: cargo test --no-default-features --features fips,tls12,std | |
working-directory: rustls | |
- name: cargo test (release; no run) | |
run: cargo test --locked --release --no-run | |
working-directory: rustls | |
bogo: | |
name: BoGo test suite | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install stable toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install golang toolchain | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.20" | |
cache: false | |
- name: Run test suite (ring) | |
working-directory: bogo | |
run: ./runme | |
env: | |
BOGO_SHIM_PROVIDER: ring | |
- name: Run test suite (aws-lc-rs) | |
working-directory: bogo | |
run: ./runme | |
env: | |
BOGO_SHIM_PROVIDER: aws-lc-rs | |
- name: Run test suite (aws-lc-rs-fips) | |
working-directory: bogo | |
run: ./runme | |
env: | |
BOGO_SHIM_PROVIDER: aws-lc-rs-fips | |
fuzz: | |
name: Smoke-test fuzzing targets | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cargo fuzz | |
run: cargo install cargo-fuzz | |
- name: Smoke-test fuzz targets | |
run: | | |
cargo fuzz build | |
for target in $(cargo fuzz list) ; do | |
cargo fuzz run $target -- -max_total_time=10 | |
done | |
benchmarks: | |
name: Run benchmarks | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install nightly toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Smoke-test benchmark program (ring) | |
run: cargo run -p rustls --profile=bench --locked --example bench $(admin/all-features-except aws_lc_rs,aws-lc-rs,fips rustls) | |
- name: Smoke-test benchmark program (aws-lc-rs) | |
run: cargo run -p rustls --profile=bench --locked --example bench $(admin/all-features-except ring,fips rustls) | |
- name: Smoke-test benchmark program (fips) | |
run: cargo run -p rustls --profile=bench --locked --example bench $(admin/all-features-except aws_lc_rs,aws-lc-rs,ring rustls) | |
- name: Run micro-benchmarks | |
run: cargo bench --locked --all-features | |
env: | |
RUSTFLAGS: --cfg=bench | |
docs: | |
name: Check for documentation errors | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo doc (rustls; all features) | |
run: cargo doc --locked --all-features --no-deps --document-private-items --package rustls | |
env: | |
RUSTDOCFLAGS: -Dwarnings | |
- name: Check README.md | |
run: | | |
cargo build --locked --all-features | |
./admin/pull-readme | |
./admin/pull-usage | |
git diff --exit-code | |
coverage: | |
name: Measure coverage | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
components: llvm-tools | |
- name: Install cargo-llvm-cov | |
run: cargo install cargo-llvm-cov | |
- name: Measure coverage | |
run: ./admin/coverage --lcov --output-path final.info | |
- name: Report to codecov.io | |
uses: codecov/codecov-action@v4 | |
with: | |
file: final.info | |
token: ${{ secrets.CODECOV_TOKEN }} | |
fail_ci_if_error: false | |
minver: | |
name: Check minimum versions of direct dependencies | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
- name: Install cargo-minimal-versions | |
uses: taiki-e/install-action@cargo-minimal-versions | |
# cargo-minimal-versions requires cargo-hack | |
- name: Install cargo-hack | |
uses: taiki-e/install-action@cargo-hack | |
- name: Check direct-minimal-versions | |
run: cargo minimal-versions --direct --ignore-private check | |
working-directory: rustls/ | |
cross: | |
name: Check cross compilation targets | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cross | |
uses: taiki-e/install-action@cross | |
- run: cross build --locked --target i686-unknown-linux-gnu | |
semver: | |
name: Check semver compatibility | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Check semver | |
uses: obi1kenobi/cargo-semver-checks-action@v2 | |
format: | |
name: Format | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
components: rustfmt | |
- name: Check formatting | |
run: cargo fmt --all -- --check | |
- name: Check formatting (connect-tests workspace) | |
run: cargo fmt --all --manifest-path=connect-tests/Cargo.toml -- --check | |
- name: Check formatting (fuzz workspace) | |
run: cargo fmt --all --manifest-path=fuzz/Cargo.toml -- --check | |
format-unstable: | |
name: Format (unstable) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust nightly toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
components: rustfmt | |
toolchain: nightly-2024-02-21 | |
- name: Check formatting (unstable) | |
run: cargo fmt --all -- --check --config-path .rustfmt.unstable.toml | |
continue-on-error: true | |
- name: Check formatting (unstable, connect-tests workspace) | |
run: cargo fmt --all --manifest-path=connect-tests/Cargo.toml -- --check --config-path .rustfmt.unstable.toml | |
continue-on-error: true | |
- name: Check formatting (unstable, fuzz workspace) | |
run: cargo fmt --all --manifest-path=fuzz/Cargo.toml -- --check --config-path .rustfmt.unstable.toml | |
continue-on-error: true | |
clippy: | |
name: Clippy | |
runs-on: ubuntu-latest | |
env: | |
# - we want to be free of any warnings, so deny them | |
# - disable incompatible_msrv as it does not understand that we apply our | |
# MSRV to the just the core crate. | |
CLIPPY_PARAMS: --deny warnings --allow clippy::incompatible_msrv | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
components: clippy | |
# because examples enable rustls' features, `--workspace --no-default-features` is not | |
# the same as `--package rustls --no-default-features` so run it separately | |
- run: cargo clippy --locked --package rustls --no-default-features --all-targets -- $CLIPPY_PARAMS | |
- run: cargo clippy --locked --workspace --all-features --all-targets -- $CLIPPY_PARAMS | |
# not part of the workspace | |
- run: cargo clippy --locked --manifest-path=fuzz/Cargo.toml --all-features --all-targets -- $CLIPPY_PARAMS | |
clippy-nightly: | |
name: Clippy (Nightly) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@nightly | |
with: | |
components: clippy | |
- run: cargo clippy --locked --package rustls --no-default-features --all-targets | |
- run: cargo clippy --locked --workspace --all-features --all-targets | |
- run: cargo clippy --locked --manifest-path=fuzz/Cargo.toml --all-features --all-targets | |
check-external-types: | |
name: Validate external types appearing in public API | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: nightly-2024-05-01 | |
# ^ sync with https://github.com/awslabs/cargo-check-external-types/blob/main/rust-toolchain.toml | |
- run: cargo install --locked cargo-check-external-types | |
- name: run cargo-check-external-types for rustls/ | |
working-directory: rustls/ | |
run: cargo check-external-types | |
openssl-tests: | |
name: Run openssl-tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install stable toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: openssl version | |
run: openssl version | |
- name: cargo test (in openssl-tests/) | |
working-directory: openssl-tests/ | |
run: cargo test --locked -- --include-ignored | |
env: | |
RUST_BACKTRACE: 1 |