Skip to content

ci: add OpenSSL 4.0 to source-built matrix#886

Merged
bukka merged 1 commit into
softhsm:mainfrom
bukka:ci-openssl-40
Jun 21, 2026
Merged

ci: add OpenSSL 4.0 to source-built matrix#886
bukka merged 1 commit into
softhsm:mainfrom
bukka:ci-openssl-40

Conversation

@bukka

@bukka bukka commented Jun 21, 2026

Copy link
Copy Markdown
Member

Convert the OpenSSL 3.5 job into a matrix that builds OpenSSL from source for both 3.5.7 and 4.0.1, since neither version is packaged in Ubuntu 24.04.

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflow to test builds against multiple OpenSSL versions (3.5.7 and 4.0.1), improving test coverage and compatibility validation during the build process.

Convert the OpenSSL 3.5 job into a matrix that builds OpenSSL from
source for both 3.5.7 and 4.0.1, since neither version is packaged in
Ubuntu 24.04.
@bukka bukka requested a review from a team as a code owner June 21, 2026 12:58
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The CI workflow replaces the fixed linux_ossl_35 job with a new linux_ossl_source job that uses a version matrix to build and test against OpenSSL 3.5.7 and 4.0.1 from source. Per-version SHA256 hashes and install directories are defined in the matrix, and all path-related environment variables are updated to use the matrix-selected install directory.

Changes

OpenSSL multi-version matrix CI job

Layer / File(s) Summary
Matrix job definition and path parameterization
.github/workflows/ci.yml
Replaces linux_ossl_35 with linux_ossl_source, introducing a matrix over OpenSSL 3.5.7 and 4.0.1 with per-version SHA256 and install dirs. Job-level env vars and the Build step's OPENSSL_INSTALL_DIR, LDFLAGS, and PKG_CONFIG_PATH are all derived from matrix.dir instead of hardcoded paths.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Suggested reviewers

  • jschlyter
  • kalvdans
  • bjosv

Poem

🐇 Hop, hop, hooray, two versions today!
The matrix now holds both 3.5 and 4.0.1,
No hardcoded paths left to lead us astray,
SHA256 hashes keep our builds in the sun.
The rabbit approves — CI testing well done! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: add OpenSSL 4.0 to source-built matrix' accurately summarizes the main change—converting the CI job to a matrix-based approach and adding OpenSSL 4.0 testing alongside version 3.5.7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 78-91: The linux_ossl_source job is missing an explicit
permissions block, which means it relies on default token permissions that may
be overly broad. Add a permissions block at the job level for the
linux_ossl_source job to define minimal required permissions. Since this job
appears to only run tests and does not need to modify repository contents or
perform privileged operations, define a permissions block with only the
necessary permissions (such as contents: read or no permissions at all if not
needed). Place the permissions block in the job definition between the job name
and the runs-on field.
- Line 92: The actions/checkout step uses a mutable tag reference (v6) instead
of being pinned to a specific commit SHA, which poses a security risk. Replace
the mutable tag reference in the uses field with a full commit SHA for the
actions/checkout action, and add the persist-credentials parameter set to false
since there are no downstream authenticated git operations in this workflow.
This follows security best practices by ensuring deterministic action execution
and applying least-privilege credential handling.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a45a392-b50b-4edc-9587-12c52f8f214d

📥 Commits

Reviewing files that changed from the base of the PR and between 3129355 and 2d64e0f.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
@bukka

bukka commented Jun 21, 2026

Copy link
Copy Markdown
Member Author

This is just strightforward CI changes so no need to wait for review here.

@bukka bukka merged commit a221296 into softhsm:main Jun 21, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant