gh-136728: Combine OpenSSL and AWS-LC CI configurations#144805
gh-136728: Combine OpenSSL and AWS-LC CI configurations#144805zware wants to merge 5 commits intopython:mainfrom
Conversation
zware
added
tests
.github/workflows/build.yml
Outdated
| # Keep 1.1.1w in our list despite it being upstream EOL and otherwise | ||
| # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs | ||
| # supported by important vendors such as AWS-LC. | ||
| version: 1.1.1w |
There was a problem hiding this comment.
Since we actually include AWS-LC tests now, can we remove this note and version?
There was a problem hiding this comment.
Ideally, no. I still want to test 1.1.1w. We are still officially supporting it as part of the build from source, and I really want to keep catching possible regressions if there is some API misuse. I believe that there are still code paths that are not hit by AWS-LC though I cannot say for sure that it's the case. Until we change https://docs.python.org/3/using/configure.html#requirements-for-optional-modules, I want to keep that version.
hugovk
left a comment
hugovk
left a comment
There was a problem hiding this comment.
Yeah, this approach also looks fine by me :)
.github/workflows/build.yml
Outdated
| # Keep 1.1.1w in our list despite it being upstream EOL and otherwise | ||
| # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs | ||
| # supported by important vendors such as AWS-LC. | ||
| version: 1.1.1w |
Collapse matrix entries into more concise one line each.
Remove obsolete OpenSSL 1.1.1w; AWS-LC is roughly 1.1.1-shaped and exercises the relevant APIs.
Remove AWS-LC 1.55.0; just test the single latest version.
zware
requested review from
AA-Turner,
ezio-melotti,
gpshead,
picnixz and
webknjaz
as code owners
| ssllib: | ||
| # See Tools/ssl/make_ssl_data.py for notes on adding a new version | ||
| ## OpenSSL | ||
| - { name: openssl, version: 3.0.19 } |
There was a problem hiding this comment.
Nested objects in the matrix generally cause difficulties. So yes, that other PR solves this bit better. I understand the desire to couple libs with their versions and it might be reasonable to just use strings like openssl == 3.0.19 and split them where necessary.
| - name: Verify python is linked to AWS-LC | ||
| run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC | ||
| - name: Verify python is linked to the right lib | ||
| run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep -i ${{ matrix.ssllib.name }} |
There was a problem hiding this comment.
There was a problem hiding this comment.
Zizmor didn't trigger on this: https://github.com/python/cpython/actions/runs/22081032695/job/63806079752?pr=144805#step:3:151
5 participants
I accidentally started this before finding GH-143940, but given the somewhat different approach I figured it was worth sharing anyway. If we prefer the GH-143940 approach, this can just be closed.