xref: /external/conscrypt/.github/workflows/ci.yml

name: Continuous integration

on:
  push:
  pull_request:
  schedule:
    # Run every day at midnight UTC
    - cron: '0 0 * * *'

jobs:
  boringssl_clone:
    # This step ensures that all builders have the same version of BoringSSL
    runs-on: ubuntu-latest

    steps:
      - name: Clone BoringSSL repo
        run: |
          git clone --depth 1 --filter=blob:none --no-checkout https://github.com/google/boringssl.git "${{ runner.temp }}/boringssl"
          echo Using BoringSSL commit: $(cd "${{ runner.temp }}/boringssl"; git rev-parse HEAD)

      - name: Archive BoringSSL source
        uses: actions/upload-artifact@v4
        with:
          name: boringssl-source
          path: ${{ runner.temp }}/boringssl
          retention-days: 1
          include-hidden-files: true
          if-no-files-found: error

  clang_format_check:
    # Only run on pull requests.
    if: ${{ startsWith(github.ref, 'refs/pull/') }}
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get git-clang-format
        # Uses the most recent clang-format on Ubuntu.
        run: |
          sudo apt-get -qq update
          sudo apt-get -qq install -y --no-install-recommends clang-format

      - name: Run git-clang-format against source branch
        run: |
          git clang-format --style=file --diff origin/$GITHUB_BASE_REF '*.c' '*.h' '*.cc' '*.cpp' '*.java'

  build:
    needs: boringssl_clone

    strategy:
      fail-fast: false
      matrix:
        platform: [ubuntu-latest, macos-latest, windows-latest]
        include:
          - platform: ubuntu-latest
            tools_url: https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip
          - platform: macos-latest
            tools_url: https://dl.google.com/android/repository/commandlinetools-mac-9477386_latest.zip
          - platform: windows-latest
            tools_url: https://dl.google.com/android/repository/commandlinetools-win-9477386_latest.zip

    runs-on: ${{ matrix.platform }}

    steps:
      - name: Set up JDK 11 for toolchains
        uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: 11

      - name: Set runner-specific environment variables
        shell: bash
        run: |
          echo "ANDROID_HOME=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
          echo "ANDROID_SDK_ROOT=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
          echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV
          echo "SDKMANAGER=${{ runner.temp }}/android-sdk/cmdline-tools/bin/sdkmanager" >> $GITHUB_ENV
          echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV

      - uses: actions/checkout@v4

      - name: Setup Linux environment
        if: runner.os == 'Linux'
        run: |
          echo "CC=clang" >> $GITHUB_ENV
          echo "CXX=clang++" >> $GITHUB_ENV

          sudo dpkg --add-architecture i386
          sudo add-apt-repository ppa:openjdk-r/ppa
          sudo apt-get -qq update
          sudo apt-get -qq install -y --no-install-recommends \
            gcc-multilib \
            g++-multilib \
            ninja-build \
            openjdk-11-jre-headless

      - name: Setup macOS environment
        if: runner.os == 'macOS'
        run: |
          brew update || echo update failed
          brew install ninja || echo update failed

      - name: Setup Windows environment
        if: runner.os == 'Windows'
        run: |
          choco install nasm -y
          choco install ninja -y

      - name: Fetch BoringSSL source
        uses: actions/download-artifact@v4
        with:
          name: boringssl-source
          path: ${{ runner.temp }}/boringssl

      - name: Checkout BoringSSL master branch
        shell: bash
        run: |
          cd "$BORINGSSL_HOME"
          git checkout --progress --force -B master

      - name: Build BoringSSL x86 and ARM MacOS
        if: runner.os == 'macOS'
        env:
          # For compatibility, but 10.15 target requires 16-byte stack alignment.
          MACOSX_DEPLOYMENT_TARGET: 10.13
        run: |
          mkdir -p "$BORINGSSL_HOME/build.x86"
          pushd "$BORINGSSL_HOME/build.x86"
          cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=x86_64 -GNinja ..
          ninja
          popd

          mkdir -p "$BORINGSSL_HOME/build.arm"
          pushd "$BORINGSSL_HOME/build.arm"
          cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=arm64 -GNinja ..
          ninja
          popd

      - name: Build BoringSSL 64-bit Linux
        if: runner.os == 'Linux'
        run: |
          mkdir -p "$BORINGSSL_HOME/build64"
          pushd "$BORINGSSL_HOME/build64"
          cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
          ninja
          popd

      - name: Set up MSVC paths on Windows
        if: runner.os == 'Windows'
        uses: ilammy/msvc-dev-cmd@v1
        with:
            arch: x64

      - name: Build BoringSSL 64-bit Windows
        if: runner.os == 'Windows'
        run: |
          cd $Env:BORINGSSL_HOME
          mkdir build64
          pushd build64
          cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded -GNinja ..
          ninja
          popd

      - name: Setup Android environment
        shell: bash
        if: runner.os == 'Linux'
        run: |
          cd "${{ runner.temp }}"
          curl -L "${{ matrix.tools_url }}" -o android-tools.zip
          mkdir -p "$ANDROID_HOME"
          unzip -q android-tools.zip -d "$ANDROID_HOME"
          yes | "$SDKMANAGER" --sdk_root="$ANDROID_HOME" --licenses || true
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" tools
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" platform-tools
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'build-tools;30.0.3'
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'platforms;android-26'
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'extras;android;m2repository'
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'ndk;25.2.9519653'
          "$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'cmake;3.22.1'

      - name: Build with Gradle
        shell: bash
        run: ./gradlew assemble -PcheckErrorQueue

      - name: Test with Gradle
        shell: bash
        timeout-minutes: 15
        run: ./gradlew check -PcheckErrorQueue

      - name: Publish to local Maven repo
        shell: bash
        run: ./gradlew publishToMavenLocal -Dmaven.repo.local="$M2_REPO"

      - name: Upload Maven respository
        uses: actions/upload-artifact@v4
        with:
          name: m2repo-${{ runner.os }}
          path: ${{ runner.temp }}/m2

      - name: Build test JAR with dependencies
        if: runner.os == 'Linux'
        shell: bash
        run: ./gradlew :conscrypt-openjdk:testJar -PcheckErrorQueue

      - name: Upload test JAR with dependencies
        if: runner.os == 'Linux'
        uses: actions/upload-artifact@v4
        with:
          name: testjar
          path: openjdk/build/libs/conscrypt-openjdk-*-tests.jar
          if-no-files-found: error

  uberjar:
    needs: build

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Setup Linux environment
        run: |
          echo "CC=clang" >> $GITHUB_ENV
          echo "CXX=clang++" >> $GITHUB_ENV

          sudo dpkg --add-architecture i386
          sudo add-apt-repository ppa:openjdk-r/ppa
          sudo apt-get -qq update
          sudo apt-get -qq install -y --no-install-recommends \
            gcc-multilib \
            g++-multilib \
            ninja-build \
            openjdk-11-jre-headless

      - name: Set runner-specific environment variables
        shell: bash
        run: |
          echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV
          echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV

      - name: Fetch BoringSSL source
        uses: actions/download-artifact@v4
        with:
          name: boringssl-source
          path: ${{ runner.temp }}/boringssl

      - name: Checkout BoringSSL master branch
        shell: bash
        run: |
          cd "$BORINGSSL_HOME"
          git checkout --progress --force -B master

      - name: Build BoringSSL 64-bit Linux
        run: |
          mkdir -p "$BORINGSSL_HOME/build64"
          pushd "$BORINGSSL_HOME/build64"
          cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
          ninja
          popd

      # TODO(prb) remove build dependency above and go back to this.
      # - name: Make fake BoringSSL directories
      #   shell: bash
      #   run: |
      #     # TODO: remove this when the check is only performed when building.
      #     # BoringSSL is not needed during the UberJAR build, but the
      #     # assertion to check happens regardless of whether the project
      #     # needs it.
      #     mkdir -p "${{ runner.temp }}/boringssl/build64"
      #     mkdir -p "${{ runner.temp }}/boringssl/include"

      - name: Download Maven repository for Linux
        uses: actions/download-artifact@v4
        with:
          name: m2repo-Linux
          path: ${{ runner.temp }}/m2

      - name: Download Maven repository for MacOS
        uses: actions/download-artifact@v4
        with:
          name: m2repo-macOS
          path: ${{ runner.temp }}/m2

      - name: Download Maven repository for Windows
        uses: actions/download-artifact@v4
        with:
          name: m2repo-Windows
          path: ${{ runner.temp }}/m2

      - name: Build UberJAR with Gradle
        shell: bash
        run: |
          ./gradlew :conscrypt-openjdk-uber:build -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"

      - name: Publish UberJAR to Maven Local
        shell: bash
        run: |
          ./gradlew :conscrypt-openjdk-uber:publishToMavenLocal -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"

      - name: Upload Maven respository
        uses: actions/upload-artifact@v4
        with:
          name: m2repo-uber
          path: ${{ runner.temp }}/m2

  openjdk-test:
    needs: uberjar

    strategy:
      fail-fast: false
      matrix:
        platform: [ubuntu-latest, macos-13, macos-latest, windows-latest]
        java: [8, 11, 17, 21]
        dist: ['temurin', 'zulu']
        include:
          - platform: ubuntu-latest
            separator: ':'
          - platform: macos-latest
            separator: ':'
          - platform: macos-13
            separator: ':'
          - platform: windows-latest
            separator: ';'
        exclude: # Not available on Github runners
          - platform: macos-latest
            java: 8
            dist: 'temurin'


    runs-on: ${{ matrix.platform }}

    steps:
      - name: Set up Java
        uses: actions/setup-java@v4
        with:
          distribution: ${{ matrix.dist }}
          java-version: ${{ matrix.java }}

      - name: Download UberJAR
        uses: actions/download-artifact@v4
        with:
          name: m2repo-uber
          path: m2

      - name: Download Test JAR with Dependencies
        uses: actions/download-artifact@v4
        with:
          name: testjar
          path: testjar

      - name: Download JUnit runner
        shell: bash
        run: mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:copy -Dartifact=org.junit.platform:junit-platform-console-standalone:1.11.2 -DoutputDirectory=. -Dmdep.stripVersion=true

      - name: Run JUnit tests
        timeout-minutes: 15
        shell: bash
        run: |
          DIR="$(find m2/org/conscrypt/conscrypt-openjdk-uber -maxdepth 1 -mindepth 1 -type d -print)"
          VERSION="${DIR##*/}"
          TESTJAR="$(find testjar -name '*-tests.jar')"
          # SIGTERM handler, e.g. for when tests hang and time out.
          # Send SIGQUIT to test process to get thread dump, give it
          # a few seconds to complete and then kill it.
          dump_threads() {
            echo "Generating stack dump."
            ps -fp "$TESTPID"
            kill -QUIT "$TESTPID"
            sleep 3
            kill -KILL "$TESTPID"
            exit 1
          }
          java -jar junit-platform-console-standalone.jar execute -cp "$DIR/conscrypt-openjdk-uber-$VERSION.jar${{ matrix.separator }}$TESTJAR" -n='org.conscrypt.ConscryptOpenJdkSuite' --scan-classpath --reports-dir=results --fail-if-no-tests &
          case $(uname -s) in
            Darwin|Linux)
              trap dump_threads SIGTERM SIGINT
              ;;
            *)
              # TODO: Probably won't work on Windows but thread dumps
              # work there already.
              ;;
          esac
          TESTPID=$!
          wait "$TESTPID"

      - name: Archive test results
        if: ${{ always() }}
        uses: actions/upload-artifact@v4
        with:
          name: test-results-${{ matrix.platform }}-${{ matrix.java }}-${{ matrix.dist }}
          path: results