ci: add OpenSSL 4.0 to source-built matrix#886
Conversation
Convert the OpenSSL 3.5 job into a matrix that builds OpenSSL from source for both 3.5.7 and 4.0.1, since neither version is packaged in Ubuntu 24.04.
📝 WalkthroughWalkthroughThe CI workflow replaces the fixed ChangesOpenSSL multi-version matrix CI job
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 78-91: The linux_ossl_source job is missing an explicit
permissions block, which means it relies on default token permissions that may
be overly broad. Add a permissions block at the job level for the
linux_ossl_source job to define minimal required permissions. Since this job
appears to only run tests and does not need to modify repository contents or
perform privileged operations, define a permissions block with only the
necessary permissions (such as contents: read or no permissions at all if not
needed). Place the permissions block in the job definition between the job name
and the runs-on field.
- Line 92: The actions/checkout step uses a mutable tag reference (v6) instead
of being pinned to a specific commit SHA, which poses a security risk. Replace
the mutable tag reference in the uses field with a full commit SHA for the
actions/checkout action, and add the persist-credentials parameter set to false
since there are no downstream authenticated git operations in this workflow.
This follows security best practices by ensuring deterministic action execution
and applying least-privilege credential handling.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
|
This is just strightforward CI changes so no need to wait for review here. |
Convert the OpenSSL 3.5 job into a matrix that builds OpenSSL from source for both 3.5.7 and 4.0.1, since neither version is packaged in Ubuntu 24.04.
Summary by CodeRabbit