Skip to content

Commit ff2f534

Browse files
JPeterMugaasJPeterMugaas
authored
Merge pull request #77 from TaurusTLS-Developers/build_from_branch
Build from branch
2 parents bbe354f + 0036df6 commit ff2f534

3 files changed

Lines changed: 82 additions & 46 deletions

File tree

.github/workflows/build-openssl.yml

Lines changed: 55 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,16 @@ run-name: Build OpenSSL ${{ inputs.version }} via ${{ github.event_name }}
44
on:
55
workflow_dispatch:
66
inputs:
7+
build_type:
8+
description: 'Build Type'
9+
required: true
10+
type: choice
11+
options:
12+
- release
13+
- branch
14+
default: release
715
version:
8-
description: 'OpenSSL Version (e.g., 3.4.0)'
16+
description: 'OpenSSL Version or Branch (e.g., 3.4.0 or master)'
917
required: true
1018
type: string
1119
ignore_eol:
@@ -20,6 +28,10 @@ on:
2028
default: false
2129
workflow_call:
2230
inputs:
31+
build_type:
32+
required: false
33+
type: string
34+
default: release
2335
version:
2436
required: true
2537
type: string
@@ -37,33 +49,51 @@ jobs:
3749
# 0. VALIDATE VERSION & EOL
3850
# =========================================================================
3951
validate-version:
40-
name: Validate Version
52+
name: Validate ${{ inputs.build_type == 'release' && 'Version' || 'Branch' }}
4153
runs-on: ubuntu-latest
4254
outputs:
4355
version: ${{ steps.check.outputs.version }}
56+
ref: ${{ steps.check.outputs.ref }}
57+
artifact_version: ${{ steps.check.outputs.artifact_version }}
4458
steps:
45-
- name: Check EOL Status
59+
- name: Check EOL or Branch Existence
4660
id: check
4761
run: |
4862
VERSION="${{ inputs.version }}"
63+
BUILD_TYPE="${{ inputs.build_type }}"
4964
IGNORE_EOL="${{ inputs.ignore_eol }}"
5065
51-
MAJOR_MINOR=$(echo "$VERSION" | cut -d. -f1,2)
52-
EOL_DATE=$(curl -s https://endoflife.date/api/openssl.json | jq -r ".[] | select(.cycle == \"$MAJOR_MINOR\") | .eol")
53-
54-
if [ -z "$EOL_DATE" ] || [ "$EOL_DATE" == "null" ]; then
55-
echo "⚠️ Could not determine EOL date for $MAJOR_MINOR. Proceeding cautiously."
56-
else
57-
TODAY=$(date +%Y-%m-%d)
58-
if [[ "$TODAY" > "$EOL_DATE" ]]; then
59-
echo "❌ OpenSSL $MAJOR_MINOR reached EOL on $EOL_DATE."
60-
if [ "$IGNORE_EOL" != "true" ]; then
61-
echo "Aborting build. Check 'Ignore EOL' to override."
62-
exit 1
66+
if [ "$BUILD_TYPE" == "release" ]; then
67+
MAJOR_MINOR=$(echo "$VERSION" | cut -d. -f1,2)
68+
EOL_DATE=$(curl -s https://endoflife.date/api/openssl.json | jq -r ".[] | select(.cycle == \"$MAJOR_MINOR\") | .eol")
69+
70+
if [ -z "$EOL_DATE" ] || [ "$EOL_DATE" == "null" ]; then
71+
echo "⚠️ Could not determine EOL date for $MAJOR_MINOR. Proceeding cautiously."
72+
else
73+
TODAY=$(date +%Y-%m-%d)
74+
if [[ "$TODAY" > "$EOL_DATE" ]]; then
75+
echo "❌ OpenSSL $MAJOR_MINOR reached EOL on $EOL_DATE."
76+
if [ "$IGNORE_EOL" != "true" ]; then
77+
echo "Aborting build. Check 'Ignore EOL' to override."
78+
exit 1
79+
fi
80+
echo "⚠️ Ignore EOL is checked. Proceeding anyway."
6381
fi
64-
echo "⚠️ Ignore EOL is checked. Proceeding anyway."
6582
fi
83+
echo "ref=openssl-$VERSION" >> $GITHUB_OUTPUT
84+
echo "artifact_version=$VERSION" >> $GITHUB_OUTPUT
85+
else
86+
# Branch Mode
87+
echo "🔍 Verifying branch '$VERSION' in upstream repository..."
88+
if ! git ls-remote --heads https://github.com/openssl/openssl.git "$VERSION" | grep -q "$VERSION"; then
89+
echo "❌ Branch '$VERSION' does not exist in openssl/openssl repository."
90+
exit 1
91+
fi
92+
TIMESTAMP=$(date -u +%Y%m%dT%H%M%SZ)
93+
echo "ref=$VERSION" >> $GITHUB_OUTPUT
94+
echo "artifact_version=${VERSION}_${TIMESTAMP}" >> $GITHUB_OUTPUT
6695
fi
96+
6797
echo "version=$VERSION" >> $GITHUB_OUTPUT
6898
6999
# =========================================================================
@@ -77,7 +107,7 @@ jobs:
77107
- uses: actions/checkout@v6
78108
with:
79109
repository: openssl/openssl
80-
ref: openssl-${{ needs.validate-version.outputs.version }}
110+
ref: ${{ needs.validate-version.outputs.ref }}
81111

82112
- name: Build Common Assets
83113
run: |
@@ -173,7 +203,7 @@ jobs:
173203
- uses: actions/checkout@v6
174204
with:
175205
repository: openssl/openssl
176-
ref: openssl-${{ needs.validate-version.outputs.version }}
206+
ref: ${{ needs.validate-version.outputs.ref }}
177207

178208
- name: Compile Windows (Standard)
179209
if: matrix.platform.label == 'Windows' && matrix.platform.arch != 'arm64ec'
@@ -525,7 +555,11 @@ jobs:
525555
cp common-assets/README.txt dist/ 2>/dev/null || true
526556
527557
# Create Metadata
528-
echo "${{ needs.validate-version.outputs.version }}" > dist/version.txt
558+
if [ "${{ inputs.build_type }}" == "branch" ]; then
559+
echo "branch: ${{ needs.validate-version.outputs.version }}" > dist/version.txt
560+
else
561+
echo "${{ needs.validate-version.outputs.version }}" > dist/version.txt
562+
fi
529563
530564
# Create Symlink Script (POSIX only, if not already present)
531565
if [ ! -f dist/install_symlinks.sh ]; then
@@ -540,7 +574,7 @@ jobs:
540574
541575
find dist -type d -empty -delete
542576
543-
ARCHIVE_NAME="openssl-${{ needs.validate-version.outputs.version }}-${{ matrix.label }}-${{ matrix.arch }}.zip"
577+
ARCHIVE_NAME="openssl-${{ needs.validate-version.outputs.artifact_version }}-${{ matrix.label }}-${{ matrix.arch }}.zip"
544578
cd dist
545579
zip -r -y "../$ARCHIVE_NAME" .
546580
cd ..
@@ -550,7 +584,7 @@ jobs:
550584
- name: Upload Final Archive
551585
uses: actions/upload-artifact@v7
552586
with:
553-
name: openssl-${{ needs.validate-version.outputs.version }}-${{ matrix.label }}-${{ matrix.arch }}
587+
name: openssl-${{ needs.validate-version.outputs.artifact_version }}-${{ matrix.label }}-${{ matrix.arch }}
554588
path: ${{ env.ARCHIVE_FILE }}
555589
archive: false
556590
retention-days: 5

.github/workflows/check-upstream.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ jobs:
5252
echo "✅ Release v$VERSION already exists. Skipping."
5353
else
5454
echo "🚀 New release v$VERSION missing! Triggering build..."
55-
gh workflow run build-openssl.yml -f version="$VERSION"
55+
gh workflow run build-openssl.yml -f version="$VERSION" -f build_type="release"
5656
echo "Build triggered for $VERSION."
5757
fi
5858
done

doc/MAINTAINING.md

Lines changed: 26 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -10,51 +10,53 @@ The pipeline consists of three primary workflows:
1010
* Runs daily via cron.
1111
* Uses the `endoflife.date` API to fetch active 3.x branches.
1212
* Triggers the Build workflow via `gh workflow run` using a Personal Access Token (`RBPW_PAT`) to allow workflow chaining.
13+
* Explicitly passes `build_type="release"` to ensure correct mode selection.
1314

1415
2. **Build (`build-openssl.yml`):**
15-
* **Validate Version:** Checks EOL status. Aborts if EOL unless `ignore_eol` is true.
16-
* **Build Common Assets:** Compiles architecture-independent headers and HTML docs once on a Linux runner.
17-
* **Compile Binaries (Fan-Out):** A highly parallel matrix that splits builds by OS, Architecture, AND Linkage (`shared` vs `static`). Uploads raw, unstripped binaries as temporary artifacts.
18-
* **Package Release (Fan-In):** Downloads common assets and raw binaries.
16+
* **Validate Mode & Version:** Handles two build modes:
17+
* `release`: Uses official tags (e.g., `openssl-3.4.0`) and performs EOL checks.
18+
* `branch`: Clones a specific git branch (e.g., `master`, `openssl-3.0`) and verifies its existence.
19+
* **Build Common Assets:** Compiles architecture-independent headers and HTML docs once.
20+
* Generates a centralized `README.txt`.
21+
* Extracts `LICENSE.txt` from the source root.
22+
* Removes unnecessary large directories to keep the "common assets" artifact lean.
23+
* **Compile Binaries (Fan-Out):** A highly parallel matrix that splits builds by OS, Architecture, AND Linkage (`shared` vs `static`). Uses parallelized `make -j$(nproc)` for speed.
24+
* **Package Release (Fan-In):** Downloads assets and raw binaries.
25+
* *Adaptive Merging:* Handles inconsistent `actions/download-artifact` behavior by detecting both nested and flattened artifact structures.
1926
* *macOS:* Combines x64 and arm64 into Universal binaries using `lipo` and `install_name_tool`.
20-
* *Windows/Linux/Android/iOS:* Organizes files into a strict directory layout.
21-
* Strips debug symbols, drops PDBs, and generates `install_symlinks.sh` (POSIX only) and `README.txt`.
22-
* Uploads the final `.zip` without double-zipping (`archive: false`).
23-
* **Cleanup:** Automatically deletes intermediate `raw-*` and common assets artifacts via GitHub API to save storage space, unless `keep_raw_artifacts` is true.
27+
* *Naming:* Releases use standard version naming; Branch builds use `<branch>_<timestamp>` (e.g., `master_20260314T150000Z`).
28+
* *Metadata:* Generates `version.txt`. If in `branch` mode, prepends `branch: ` to the content.
29+
* **Cleanup:** Deletes intermediate artifacts via GitHub API unless `keep_raw_artifacts` is true.
2430

2531
3. **Publish (`publish-release.yml`):**
2632
* Triggered automatically when a Build completes.
27-
* Downloads the raw `.zip` artifacts intact.
28-
* Reads the version from the `build-metadata` artifact.
2933
* Creates a Draft release and opens a GitHub Issue for maintainer review.
3034

3135
## 🛠️ Manual Operations
3236

33-
### How to build a specific version manually
37+
### How to build manually
3438
1. Go to **Actions** tab -> **Build OpenSSL 3.x**.
3539
2. Click **Run workflow**.
36-
3. Enter the version (e.g., `3.4.0`).
37-
4. *(Optional)* Check **Ignore EOL Check** if you specifically need to build an older, unsupported version (e.g., `3.0.0`).
38-
5. *(Optional)* Check **Keep raw build artifacts** if you need to keep compiled artifacts, for example for debug purposes.
39-
6. The pipeline will build the artifacts and automatically trigger the Publish workflow as a Draft.
40+
3. **Build Type:** Select `release` for official tags or `branch` for moving git branches.
41+
4. **OpenSSL Version or Branch:** Enter the tag (e.g., `3.4.0`) or branch name (e.g., `openssl-3.6`).
42+
5. *(Optional)* Check **Ignore EOL Check** if you need to build an unsupported release.
43+
6. *(Optional)* Check **Keep raw build artifacts** for debugging.
4044

4145
### How to publish a release manually
42-
If an automatic publish fails, or you want to publish a specific build run manually:
46+
If an automatic publish fails:
4347
1. Go to **Actions** tab -> **Publish Release**.
4448
2. Click **Run workflow**.
45-
3. Provide the **Build Workflow Run ID** (found in the URL of the successful build run, e.g., `1234567890`).
46-
4. Toggle the **Create as Draft** status as needed.
49+
3. Provide the **Build Workflow Run ID** (found in the URL of the successful build run).
50+
4. Toggle **Create as Draft** as needed.
4751

4852
### Reviewing and Publishing Drafts
49-
When the CI pipeline automatically builds a new upstream release, it creates a Draft release and opens a GitHub Issue.
5053
1. Check the **Issues** tab for a "👀 Review Required" notification.
51-
2. Click the link in the issue to view the Draft Release.
52-
3. Verify the release notes and attached `.zip` artifacts.
54+
2. Click the link to view the Draft Release.
55+
3. Verify the artifacts and release notes.
5356
4. Click **Edit**, uncheck "Set as a draft", and click **Publish release**.
5457
5. Close the notification issue.
5558

5659
### Secrets Configuration
57-
To allow the workflows to trigger each other (e.g., `check-upstream` triggering `build-openssl`), a **Personal Access Token (PAT)** is required.
5860
* **Secret Name:** `RBPW_PAT`
59-
* **Required Scopes:** `repo` (or specific `actions:write`, `contents:write`).
60-
* **Note:** The default `GITHUB_TOKEN` cannot trigger recursive workflows. (However, `publish-release.yml` uses the standard `GITHUB_TOKEN` to create releases and issues).
61+
* **Required Scopes:** `repo`, `actions:write`.
62+
* **Note:** Required for workflow chaining (`check-upstream` -> `build-openssl`). Standard operations use the default `GITHUB_TOKEN`.

0 commit comments

Comments
 (0)