migrate more from Travis to GHA (#5555)

* migrate more from Travis to GHA

* actually upload coverage

* use cache checks properly

* also do coverage

* simplify coverage check

* refactor a bit

* oops

* remove unused things in travis

* this needs to be stored to the github env...

.github/workflows/build_openssl.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -e
+set -x
+
+shlib_sed() {
+  # modify the shlib version to a unique one to make sure the dynamic
+  # linker doesn't load the system one.
+  sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
+  sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
+  sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
+}
+
+# CONFIG_HASH is a global coming from a previous step
+OPENSSL_DIR="${GITHUB_WORKSPACE}/osslcache/${TYPE}-${VERSION}-${CONFIG_HASH}"
+if [[ "${TYPE}" == "openssl" ]]; then
+  curl -O "https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
+  tar zxf "openssl-${VERSION}.tar.gz"
+  pushd "openssl-${VERSION}"
+  # CONFIG_FLAGS is a global coming from a previous step
+  ./config ${CONFIG_FLAGS} -fPIC --prefix="${OPENSSL_DIR}"
+  shlib_sed
+  make depend
+  make -j"$(nproc)"
+  # avoid installing the docs on versions of OpenSSL that aren't ancient.
+  # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
+  make install_sw install_ssldirs
+  popd
+elif [[ "${TYPE}" == "libressl" ]]; then
+  curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz"
+  tar zxf "libressl-${VERSION}.tar.gz"
+  pushd "libressl-${VERSION}"
+  ./config -Wl -Wl,-Bsymbolic-functions -fPIC shared --prefix="${OPENSSL_DIR}"
+  shlib_sed
+  make -j"$(nproc)" install
+  popd
+fi

.github/workflows/ci.yml

@@ -10,6 +10,78 @@ on:
       - '*.*.*'
 
 jobs:
+  linux:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        PYTHON:
+          - {VERSION: "3.9", TOXENV: "pep8,packaging", COVERAGE: "false"}
+          - {VERSION: "pypy2", TOXENV: "pypy-nocoverage", COVERAGE: "false"}
+          - {VERSION: "pypy3", TOXENV: "pypy3-nocoverage", COVERAGE: "false"}
+          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "2.7", TOXENV: "py27-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
+          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.4"}}
+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.2"}}
+    name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.PYTHON.VERSION }}
+      - run: git clone --depth=1 https://github.com/google/wycheproof
+      - run: python -m pip install tox requests coverage
+      - name: Compute config hash and set config vars
+        run: |
+          DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3"
+          CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS"
+          CONFIG_HASH=$(echo "$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//')
+          echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV
+          echo "CONFIG_HASH=${CONFIG_HASH}" >> $GITHUB_ENV
+          echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV
+          echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_HASH}" >> $GITHUB_ENV
+        env:
+          CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}
+        if: matrix.PYTHON.OPENSSL
+      - name: Load cache
+        uses: actions/cache@v2
+        id: ossl-cache
+        with:
+          path: ${{ github.workspace }}/osslcache
+          # When altering the openssl build process you may need to increment the value on the end of this cache key
+          # so that you can prevent it from fetching the cache and skipping the build step.
+          key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-1
+        if: matrix.PYTHON.OPENSSL
+      - name: Build custom OpenSSL/LibreSSL
+        run: .github/workflows/build_openssl.sh
+        env:
+          TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }}
+          VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }}
+          GITHUB_WORKSPACE: ${{ github.workspace }}
+        if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true'
+      - name: Set CFLAGS/LDFLAGS
+        run: |
+          echo "CFLAGS=${CFLAGS} -I${OSSL_PATH}/include" >> $GITHUB_ENV
+          echo "LDFLAGS=${LDFLAGS} -L${OSSL_PATH}/lib -Wl,-rpath=${OSSL_PATH}/lib" >> $GITHUB_ENV
+        if: matrix.PYTHON.OPENSSL
+      - name: Tests
+        run: |
+            tox -r --  --color=yes --wycheproof-root=wycheproof
+        env:
+          TOXENV: ${{ matrix.PYTHON.TOXENV }}
+      - name: Upload coverage
+        run: |
+          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
+          bash codecov.sh -n "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}"
+        if: matrix.PYTHON.COVERAGE != 'false'
+
   linux-distros:
     runs-on: ubuntu-latest
     container: ${{ matrix.IMAGE.IMAGE }}

.travis.yml

@@ -18,42 +18,7 @@ branches:
 
 matrix:
     include:
-        - python: 3.8
-          env: TOXENV=pep8,packaging
         # Setting 'python' is just to make travis's UI a bit prettier
-        - python: 3.6
-          env: TOXENV=py36
-        - python: 3.9
-          env: TOXENV=py39
-          # Travis lists available Pythons (including PyPy) by arch and distro here:
-          # https://docs.travis-ci.com/user/languages/python/#python-versions
-        - python: pypy2.7-7.3.1
-          env: TOXENV=pypy-nocoverage
-        - python: pypy3.6-7.3.1
-          env: TOXENV=pypy3-nocoverage
-        - python: 2.7
-          env: TOXENV=py27 OPENSSL=1.1.0l
-        - python: 2.7
-          env: TOXENV=py27-ssh OPENSSL=1.1.0l
-        - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.0l
-        - python: 2.7
-          env: TOXENV=py27 OPENSSL=1.1.1h
-        - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1h
-        - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1h OPENSSL_CONFIG_FLAGS="no-engine no-rc2 no-srtp no-ct"
-        - python: 3.8
-          env: TOXENV=py38-ssh OPENSSL=1.1.1h
-        - python: 3.8
-          env: TOXENV=py38 LIBRESSL=2.9.2
-        - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.0.2
-        - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.1.4
-        - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.2.2
-
         - python: 3.8
           env: TOXENV=docs
           addons:
@@ -74,18 +39,3 @@ install:
 
 script:
     - ./.travis/run.sh
-
-after_success:
-    - ./.travis/upload_coverage.sh
-
-notifications:
-    irc:
-        channels:
-            # This is set to a secure variable to prevent forks from notifying the
-            # IRC channel whenever they fail a build. This can be removed when travis
-            # implements https://github.com/travis-ci/travis-ci/issues/1094.
-            # The value encrypted here was created via
-            # travis encrypt "irc.freenode.org#cryptography-dev"
-            - secure: "A93qvTOlwlMK5WoEvZQ5jQ8Z4Hd0JpeO53WYt8iIJ3s/L6AubkfiN7gwhThRtPnPx7DVMenoKRMlcRg76/ICvXEViVnGgXFjsypF0CzVcIay9pPdjpZjZHP735yLfX512RtxYEdEGwi5r25Z2CEFaydhhxNwfuMxGBtLUjusix4="
-        use_notice: true
-        skip_join: true

.travis/install.sh

@@ -3,46 +3,6 @@
 set -e
 set -x
 
-SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
-
-shlib_sed() {
-    # modify the shlib version to a unique one to make sure the dynamic
-    # linker doesn't load the system one.
-    sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
-    sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
-    sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
-}
-
-# download, compile, and install if it's not already present via travis
-# cache
-if [ -n "${OPENSSL}" ]; then
-    . "$SCRIPT_DIR/openssl_config.sh"
-    if [[ ! -f "$HOME/$OPENSSL_DIR/bin/openssl" ]]; then
-        curl -O "https://www.openssl.org/source/openssl-${OPENSSL}.tar.gz"
-        tar zxf "openssl-${OPENSSL}.tar.gz"
-        pushd "openssl-${OPENSSL}"
-        ./config $OPENSSL_CONFIG_FLAGS -fPIC --prefix="$HOME/$OPENSSL_DIR"
-        shlib_sed
-        make depend
-        make -j"$(nproc)"
-        # avoid installing the docs on versions of OpenSSL that aren't ancient.
-        # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
-        make install_sw install_ssldirs
-        popd
-    fi
-elif [ -n "${LIBRESSL}" ]; then
-    LIBRESSL_DIR="ossl-2/${LIBRESSL}"
-    if [[ ! -f "$HOME/$LIBRESSL_DIR/bin/openssl" ]]; then
-        curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL}.tar.gz"
-        tar zxf "libressl-${LIBRESSL}.tar.gz"
-        pushd "libressl-${LIBRESSL}"
-        ./config -Wl -Wl,-Bsymbolic-functions -fPIC shared --prefix="$HOME/$LIBRESSL_DIR"
-        shlib_sed
-        make -j"$(nproc)" install
-        popd
-    fi
-fi
-
 if [ -z "${DOWNSTREAM}" ]; then
     git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"
 fi

.travis/openssl_config.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-
-DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3"
-if [ -n "${OPENSSL_CONFIG_FLAGS}" ]; then
-    OPENSSL_CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $OPENSSL_CONFIG_FLAGS"
-else
-    OPENSSL_CONFIG_FLAGS=$DEFAULT_CONFIG_FLAGS
-fi
-CONFIG_HASH=$(echo "$OPENSSL_CONFIG_FLAGS" | sha1sum | sed 's/ .*$//')
-OPENSSL_DIR="ossl-2/${OPENSSL}${CONFIG_HASH}"

.travis/run.sh

@@ -1,23 +1,5 @@
 #!/bin/bash -ex
 
-SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
-
-if [ -n "${LIBRESSL}" ]; then
-    LIBRESSL_DIR="ossl-2/${LIBRESSL}"
-    export CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=discarded-qualifiers -Wno-error=unused-function -I$HOME/$LIBRESSL_DIR/include"
-    export PATH="$HOME/$LIBRESSL_DIR/bin:$PATH"
-    export LDFLAGS="-L$HOME/$LIBRESSL_DIR/lib -Wl,-rpath=$HOME/$LIBRESSL_DIR/lib"
-fi
-
-if [ -n "${OPENSSL}" ]; then
-    . "$SCRIPT_DIR/openssl_config.sh"
-    export PATH="$HOME/$OPENSSL_DIR/bin:$PATH"
-    export CFLAGS="${CFLAGS} -I$HOME/$OPENSSL_DIR/include"
-    # rpath on linux will cause it to use an absolute path so we don't need to
-    # do LD_LIBRARY_PATH
-    export LDFLAGS="-L$HOME/$OPENSSL_DIR/lib -Wl,-rpath=$HOME/$OPENSSL_DIR/lib"
-fi
-
 source ~/.venv/bin/activate
 
 if [ -n "${TOXENV}" ]; then

.travis/upload_coverage.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-
-if [ -n "${TOXENV}" ]; then
-    case "${TOXENV}" in
-        pypy-nocoverage);;
-        pypy3-nocoverage);;
-        pep8);;
-        py3pep8);;
-        docs);;
-        *)
-            source ~/.venv/bin/activate
-            curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
-
-            bash codecov.sh -Z -e TRAVIS_OS_NAME,TOXENV,OPENSSL || \
-                bash codecov.sh -Z -e TRAVIS_OS_NAME,TOXENV,OPENSSL
-            ;;
-    esac
-fi