aboutsummaryrefslogtreecommitdiffstats
path: root/.github/workflows
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/ci.yml99
-rw-r--r--.github/workflows/download_openssl.py60
-rw-r--r--.github/workflows/wheel-builder.yml162
3 files changed, 321 insertions, 0 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 00000000..c4bb335c
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,99 @@
+name: CI
+on:
+ pull_request: {}
+ push:
+ branches:
+ - master
+ - '*.*.x'
+ tags:
+ - '*.*.*'
+
+jobs:
+ macos:
+ runs-on: macos-latest
+ strategy:
+ matrix:
+ PYTHON:
+ - {VERSION: "2.7", TOXENV: "py27"}
+ - {VERSION: "3.5", TOXENV: "py35"}
+ - {VERSION: "3.6", TOXENV: "py36"}
+ - {VERSION: "3.7", TOXENV: "py37"}
+ - {VERSION: "3.8", TOXENV: "py38"}
+ name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
+ steps:
+ - uses: actions/checkout@master
+ - name: Setup python
+ uses: actions/setup-python@v1
+ with:
+ python-version: ${{ matrix.PYTHON.VERSION }}
+
+ - run: python -m pip install tox requests coverage
+
+ - run: git clone https://github.com/google/wycheproof
+
+ - name: Download OpenSSL
+ run: |
+ python .github/workflows/download_openssl.py macos openssl-macos
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: Tests
+ run: |
+ CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \
+ LDFLAGS="${HOME}/openssl-macos/lib/libcrypto.a ${HOME}/openssl-macos/lib/libssl.a" \
+ CFLAGS="-I${HOME}/openssl-macos/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.9 -march=core2" \
+ tox -r -- --color=yes --wycheproof-root=wycheproof
+ env:
+ TOXENV: ${{ matrix.PYTHON.TOXENV }}
+
+ - name: Upload coverage
+ run: |
+ curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
+ bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on macOS"
+
+ windows:
+ runs-on: windows-latest
+ strategy:
+ matrix:
+ WINDOWS:
+ - {ARCH: 'x86', WINDOWS: 'win32'}
+ - {ARCH: 'x64', WINDOWS: 'win64'}
+ PYTHON:
+ - {VERSION: "2.7", TOXENV: "py27", MSVC_VERSION: "2010"}
+ - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019"}
+ - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019"}
+ - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019"}
+ - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019"}
+ name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
+ steps:
+ - uses: actions/checkout@master
+ - name: Setup python
+ uses: actions/setup-python@v1
+ with:
+ python-version: ${{ matrix.PYTHON.VERSION }}
+ architecture: ${{ matrix.WINDOWS.ARCH }}
+
+ - name: Install MSVC for Python 2.7
+ run: |
+ Invoke-WebRequest -Uri https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi -OutFile VCForPython27.msi
+ Start-Process msiexec -Wait -ArgumentList @('/i', 'VCForPython27.msi', '/qn', 'ALLUSERS=1')
+ Remove-Item VCForPython27.msi -Force
+ shell: powershell
+ if: matrix.PYTHON.VERSION == '2.7'
+ - run: python -m pip install tox requests coverage
+ - name: Download OpenSSL
+ run: |
+ python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
+ echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
+ echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - run: git clone https://github.com/google/wycheproof
+
+ - run: tox -r -- --color=yes --wycheproof-root=wycheproof
+ env:
+ TOXENV: ${{ matrix.PYTHON.TOXENV }}
+
+ - name: Upload coverage
+ run: |
+ curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash || curl -o codecov.sh -f https://codecov.io/bash
+ bash codecov.sh -n "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
diff --git a/.github/workflows/download_openssl.py b/.github/workflows/download_openssl.py
new file mode 100644
index 00000000..559e6819
--- /dev/null
+++ b/.github/workflows/download_openssl.py
@@ -0,0 +1,60 @@
+import io
+import os
+import sys
+import zipfile
+
+import requests
+
+from urllib3.util.retry import Retry
+
+
+def get_response(session, url, token):
+ response = session.get(url, headers={"Authorization": "token " + token})
+ if response.status_code != 200:
+ raise ValueError("Got HTTP {} fetching {}: ".format(
+ response.status_code, url
+ ))
+ return response
+
+
+def main(platform, target):
+ if platform == "windows":
+ workflow = "build-windows-openssl.yml"
+ path = "C:/"
+ elif platform == "macos":
+ workflow = "build-macos-openssl.yml"
+ path = os.environ["HOME"]
+ else:
+ raise ValueError("Invalid platform")
+
+ session = requests.Session()
+ adapter = requests.adapters.HTTPAdapter(
+ max_retries=Retry()
+ )
+ session.mount("https://", adapter)
+ session.mount("http://", adapter)
+
+ token = os.environ["GITHUB_TOKEN"]
+ print("Looking for: {}".format(target))
+ runs_url = (
+ "https://api.github.com/repos/pyca/infra/actions/workflows/"
+ "{}/runs?branch=master&status=success".format(workflow)
+ )
+
+ response = get_response(session, runs_url, token).json()
+ artifacts_url = response["workflow_runs"][0]["artifacts_url"]
+ response = get_response(session, artifacts_url, token).json()
+ for artifact in response["artifacts"]:
+ if artifact["name"] == target:
+ print("Found artifact")
+ response = get_response(
+ session, artifact["archive_download_url"], token
+ )
+ zipfile.ZipFile(io.BytesIO(response.content)).extractall(
+ os.path.join(path, artifact["name"])
+ )
+ return
+
+
+if __name__ == "__main__":
+ main(sys.argv[1], sys.argv[2])
diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml
new file mode 100644
index 00000000..daeaf4e1
--- /dev/null
+++ b/.github/workflows/wheel-builder.yml
@@ -0,0 +1,162 @@
+name: Wheel Builder
+on:
+ repository_dispatch:
+ types: [wheel-builder]
+
+jobs:
+ manylinux:
+ runs-on: ubuntu-latest
+ container: ${{ matrix.MANYLINUX.CONTAINER }}
+ strategy:
+ matrix:
+ PYTHON: ["cp27-cp27m", "cp27-cp27mu", "cp35-cp35m"]
+ MANYLINUX:
+ - NAME: manylinux1_x86_64
+ CONTAINER: "pyca/cryptography-manylinux1:x86_64"
+ - NAME: manylinux2010_x86_64
+ CONTAINER: "pyca/cryptography-manylinux2010:x86_64"
+ name: "Python ${{ matrix.PYTHON }} for ${{ matrix.MANYLINUX.NAME }}"
+ steps:
+ - run: /opt/python/${{ matrix.PYTHON }}/bin/python -m virtualenv .venv
+ - name: Downgrade pip, can't remember why
+ run: .venv/bin/pip install -U pip==10.0.1
+ - name: Install Python dependencies
+ run: .venv/bin/pip install cffi six ipaddress "enum34; python_version < '3'"
+ - run: |
+ REGEX="cp3([0-9])*"
+ if [[ "${{ matrix.PYTHON }}" =~ $REGEX ]]; then
+ PY_LIMITED_API="--build-option --py-limited-api=cp3${BASH_REMATCH[1]}"
+ fi
+ LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
+ CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+ .venv/bin/pip wheel cryptography==${{ github.event.client_payload.BUILD_VERSION }} --no-binary cryptography --no-deps --wheel-dir=tmpwheelhouse $PY_LIMITED_API
+ - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/
+ - run: unzip wheelhouse/*.whl -d execstack.check
+ - run: |
+ results=$(execstack execstack.check/cryptography/hazmat/bindings/*.so)
+ count=$(echo "$results" | grep -c '^X' || true)
+ if [ "$count" -ne 0 ]; then
+ exit 1
+ else
+ exit 0
+ fi
+ - name: Upgrade pip again so we can actually use manylinux2010
+ run: .venv/bin/pip install -U pip
+ - run: .venv/bin/pip install cryptography --no-index -f wheelhouse/
+ - run: |
+ .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+ - run: mkdir cryptography-wheelhouse
+ - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
+ - uses: actions/upload-artifact@v1
+ with:
+ name: "cryptography-${{ github.event.client_payload.BUILD_VERSION }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON }}"
+ path: cryptography-wheelhouse/
+
+ macos:
+ runs-on: macos-latest
+ strategy:
+ matrix:
+ PYTHON:
+ - VERSION: '2.7'
+ ABI_VERSION: '2.7'
+ DOWNLOAD_URL: 'https://www.python.org/ftp/python/2.7.17/python-2.7.17-macosx10.9.pkg'
+ BIN_PATH: '/Library/Frameworks/Python.framework/Versions/2.7/bin/python'
+ - VERSION: '3.8'
+ ABI_VERSION: '3.5'
+ DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.8.2/python-3.8.2-macosx10.9.pkg'
+ BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.8/bin/python3'
+ name: "Python ${{ matrix.PYTHON.VERSION }} for ABI ${{ matrix.PYTHON.ABI_VERSION }} on macOS"
+ steps:
+ - uses: actions/checkout@master
+ - run: |
+ curl "$PYTHON_DOWNLOAD_URL" -o python.pkg
+ sudo installer -pkg python.pkg -target /
+ env:
+ PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }}
+ - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -U virtualenv requests
+ - name: Download OpenSSL
+ run: |
+ ${{ matrix.PYTHON.BIN_PATH }} .github/workflows/download_openssl.py macos openssl-macos
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - run: ${{ matrix.PYTHON.BIN_PATH }} -m virtualenv venv
+ # Downgrade pip, I can't remember why
+ - run: venv/bin/pip install -U pip==10.0.1
+ - run: venv/bin/pip install -U wheel
+ - run: venv/bin/pip install cffi six ipaddress "enum34; python_version < '3'"
+
+ - name: Build the wheel
+ run: |
+ REGEX="3\.([0-9])*"
+ if [[ "$PYTHON_VERSION" =~ $REGEX ]]; then
+ PY_LIMITED_API="--build-option --py-limited-api=cp3${BASH_REMATCH[1]}"
+ fi
+
+ CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS="1" \
+ LDFLAGS="${HOME}/openssl-macos/lib/libcrypto.a ${HOME}/openssl-macos/lib/libssl.a" \
+ CFLAGS="-I${HOME}/openssl-macos/include -mmacosx-version-min=10.9 -march=core2" \
+ venv/bin/pip wheel cryptography==${{ github.event.client_payload.BUILD_VERSION }} --wheel-dir=wheelhouse --no-binary cryptography --no-deps $PY_LIMITED_API
+ env:
+ PYTHON_VERSION: ${{ matrix.PYTHON.ABI_VERSION }}
+ - run: venv/bin/pip install -f wheelhouse --no-index cryptography
+ - run: |
+ venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+
+ - run: mkdir cryptography-wheelhouse
+ - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
+ - uses: actions/upload-artifact@v1
+ with:
+ name: "cryptography-${{ github.event.client_payload.BUILD_VERSION }}-macOS-${{ matrix.PYTHON.ABI_VERSION }}"
+ path: cryptography-wheelhouse/
+
+ windows:
+ runs-on: windows-latest
+ strategy:
+ matrix:
+ WINDOWS:
+ - {ARCH: 'x86', WINDOWS: 'win32'}
+ - {ARCH: 'x64', WINDOWS: 'win64'}
+ PYTHON:
+ - {VERSION: "2.7", TOXENV: "py27", MSVC_VERSION: "2010"}
+ - {VERSION: "3.5", TOXENV: "py35", MSVC_VERSION: "2019"}
+ - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019"}
+ - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019"}
+ - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019"}
+ name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
+ steps:
+ - uses: actions/checkout@master
+ - name: Setup python
+ uses: actions/setup-python@v1
+ with:
+ python-version: ${{ matrix.PYTHON.VERSION }}
+ architecture: ${{ matrix.WINDOWS.ARCH }}
+ - name: Install MSVC for Python 2.7
+ run: |
+ Invoke-WebRequest -Uri https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi -OutFile VCForPython27.msi
+ Start-Process msiexec -Wait -ArgumentList @('/i', 'VCForPython27.msi', '/qn', 'ALLUSERS=1')
+ Remove-Item VCForPython27.msi -Force
+ shell: powershell
+ if: matrix.PYTHON.VERSION == '2.7'
+ - run: pip install requests
+ - name: Download OpenSSL
+ run: |
+ python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
+ echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
+ echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - run: pip install cffi six ipaddress "enum34; python_version < '3'"
+ - run: pip wheel cryptography==${{ github.event.client_payload.BUILD_VERSION }} --wheel-dir=wheelhouse --no-binary cryptography
+ - run: pip install -f wheelhouse --no-index cryptography
+ - name: Print the OpenSSL we built and linked against
+ run: |
+ python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+
+ - run: mkdir cryptography-wheelhouse
+ - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\
+ - uses: actions/upload-artifact@v1
+ with:
+ name: "cryptography-${{ github.event.client_payload.BUILD_VERSION }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}"
+ path: cryptography-wheelhouse\
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-18 16:43:59 +0000