cryptography/.github/workflows/ci.yml

name: CI
on:
  pull_request: {}
  push:
    branches:
      - master
      - '*.*.x'
    tags:
      - '*.*'
      - '*.*.*'

jobs:
  linux:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        PYTHON:
          - {VERSION: "3.9", TOXENV: "pep8,packaging,docs", COVERAGE: "false"}
          - {VERSION: "pypy2", TOXENV: "pypy-nocoverage", COVERAGE: "false"}
          - {VERSION: "pypy3", TOXENV: "pypy3-nocoverage", COVERAGE: "false"}
          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
          - {VERSION: "2.7", TOXENV: "py27-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
          - {VERSION: "2.7", TOXENV: "py27", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.4"}}
          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.2"}}
    name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}
      - run: git clone --depth=1 https://github.com/google/wycheproof
      - run: python -m pip install tox requests coverage
      - name: Compute config hash and set config vars
        run: |
          DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3"
          CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS"
          CONFIG_HASH=$(echo "$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//')
          echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV
          echo "CONFIG_HASH=${CONFIG_HASH}" >> $GITHUB_ENV
          echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV
          echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_HASH}" >> $GITHUB_ENV          
        env:
          CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}
        if: matrix.PYTHON.OPENSSL
      - name: Load cache
        uses: actions/cache@v2
        id: ossl-cache
        with:
          path: ${{ github.workspace }}/osslcache
          # When altering the openssl build process you may need to increment the value on the end of this cache key
          # so that you can prevent it from fetching the cache and skipping the build step.
          key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-1
        if: matrix.PYTHON.OPENSSL
      - name: Build custom OpenSSL/LibreSSL
        run: .github/workflows/build_openssl.sh
        env:
          TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }}
          VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }}
          GITHUB_WORKSPACE: ${{ github.workspace }}
        if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true'
      - name: Set CFLAGS/LDFLAGS
        run: |
          echo "CFLAGS=${CFLAGS} -I${OSSL_PATH}/include" >> $GITHUB_ENV
          echo "LDFLAGS=${LDFLAGS} -L${OSSL_PATH}/lib -Wl,-rpath=${OSSL_PATH}/lib" >> $GITHUB_ENV          
        if: matrix.PYTHON.OPENSSL
      - name: Tests
        run: |
            tox -r --  --color=yes --wycheproof-root=wycheproof            
        env:
          TOXENV: ${{ matrix.PYTHON.TOXENV }}
      - name: Upload coverage
        run: |
          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
          bash codecov.sh -n "tox -e ${{ matrix.PYTHON.TOXENV }} ${{ env.OSSL_INFO }}"          
        if: matrix.PYTHON.COVERAGE != 'false'

  linux-distros:
    runs-on: ubuntu-latest
    container: ${{ matrix.IMAGE.IMAGE }}
    strategy:
      matrix:
        IMAGE:
          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"}
          - {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"}
          - {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1"}
          - {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"}
          - {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"}
          - {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"}
          - {IMAGE: "pyca/cryptography-runner-sid", TOXENV: "py38"}
          - {IMAGE: "pyca/cryptography-runner-ubuntu-bionic", TOXENV: "py36"}
          - {IMAGE: "pyca/cryptography-runner-ubuntu-focal", TOXENV: "py38"}
          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py27"}
          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38"}
          - {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"}
          - {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"}
          - {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"}
    name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"
    steps:
      - uses: actions/checkout@v2
      - run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"'
      - run: 'echo "$ENV_VAR" >> $GITHUB_ENV'
        if: matrix.IMAGE.ENV
        env:
          ENV_VAR: ${{ matrix.IMAGE.ENV }}
      - run: 'tox -- --wycheproof-root="$HOME/wycheproof"'
        env:
          TOXENV: ${{ matrix.IMAGE.TOXENV }}
      - name: Upload coverage
        run: |
          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
          bash codecov.sh -n "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"          

  macos:
    runs-on: macos-latest
    strategy:
      matrix:
        PYTHON:
          - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""}
          - {VERSION: "3.6", TOXENV: "py36", EXTRA_CFLAGS: ""}
          - {VERSION: "3.9", TOXENV: "py39", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
    name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}

      - run: python -m pip install tox requests coverage

      - run: git clone https://github.com/google/wycheproof

      - name: Download OpenSSL
        run: |
          python .github/workflows/download_openssl.py macos openssl-macos-x86-64          
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Tests
        run: |
          CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \
            LDFLAGS="${HOME}/openssl-macos-x86-64/lib/libcrypto.a ${HOME}/openssl-macos-x86-64/lib/libssl.a" \
            CFLAGS="-I${HOME}/openssl-macos-x86-64/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \
            tox -r --  --color=yes --wycheproof-root=wycheproof          
        env:
          TOXENV: ${{ matrix.PYTHON.TOXENV }}
          EXTRA_CFLAGS: ${{ matrix.PYTHON.EXTRA_CFLAGS }}

      - name: Upload coverage
        run: |
          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
          bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on macOS"          

  windows:
    runs-on: windows-latest
    strategy:
      matrix:
        WINDOWS:
          - {ARCH: 'x86', WINDOWS: 'win32'}
          - {ARCH: 'x64', WINDOWS: 'win64'}
        PYTHON:
          - {VERSION: "2.7", TOXENV: "py27", MSVC_VERSION: "2010", CL_FLAGS: ""}
          - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""}
          - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""}
          - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: ""}
          - {VERSION: "3.9", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
    name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}
          architecture: ${{ matrix.WINDOWS.ARCH }}

      - name: Install MSVC for Python 2.7
        run: |
            Invoke-WebRequest -Uri https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi -OutFile VCForPython27.msi
            Start-Process msiexec -Wait -ArgumentList @('/i', 'VCForPython27.msi', '/qn', 'ALLUSERS=1')
            Remove-Item VCForPython27.msi -Force            
        shell: powershell
        if: matrix.PYTHON.VERSION == '2.7'
      - run: python -m pip install tox requests coverage
      - name: Download OpenSSL
        run: |
            python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
            echo "CL=${{ matrix.PYTHON.CL_FLAGS }}" >> $GITHUB_ENV            
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
      - run: git clone https://github.com/google/wycheproof

      - run: tox -r -- --color=yes --wycheproof-root=wycheproof
        env:
          TOXENV: ${{ matrix.PYTHON.TOXENV }}

      - name: Upload coverage
        run: |
          curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
          bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"          

  linux-downstream:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        DOWNSTREAM:
          - paramiko
          - pyopenssl
          - twisted
          - aws-encryption-sdk
          - dynamodb-encryption-sdk
          - certbot
          - certbot-josepy
    name: "Downstream tests for ${{ matrix.DOWNSTREAM }}"
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: 3.7
      - run: python -m pip install -U pip wheel
      - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install
      - run: pip uninstall -y enum34
      - run: pip install .
      - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run

  docs-linkcheck:
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    name: "linkcheck"
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: 3.9
      - run: python -m pip install -U tox
      - run: tox -r --  --color=yes
        env:
          TOXENV: docs-linkcheck