tools: migrate from openssl-matrix.json to openssl-matrix.nix

Signed-off-by: Antoine du Hamel <[email protected]>

Author: aduh95

.github/workflows/test-shared.yml

@@ -172,6 +172,7 @@ jobs:
     name: 'aarch64-linux: Cache V8 build'
     outputs:
       local-cache: ${{ steps.upload.outcome != 'skipped' && 'true' || '' }}
+      matrix: ${{ steps.query.outputs.matrix }}
     steps:
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
@@ -227,25 +228,17 @@ jobs:
           name: libv8
           path: libv8
 
-  # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json.
-  # Output shape:
-  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
-  collect-openssl-versions:
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-slim
-    outputs:
-      matrix: ${{ steps.query.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-          sparse-checkout: tools/nix/openssl-matrix.json
-          sparse-checkout-cone-mode: false
-      - id: query
+      - name: Collect matrix of support OpenSSL versions
+        id: query
         run: |
           {
             echo 'matrix<<EOF'
-            cat tools/nix/openssl-matrix.json
+            nix-instantiate --eval --strict --json -E "
+              let
+                matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix {};
+              in
+              builtins.map (attr: { inherit attr; inherit (builtins.getAttr attr matrix) name; }) (builtins.attrNames matrix)
+            "
             echo 'EOF'
           } >> "$GITHUB_OUTPUT"
 
@@ -255,19 +248,16 @@ jobs:
   # entry, while all other shared libs remain at their defaults. Only runs on
   # a single runner/system (aarch64-linux) to keep the matrix to a minimum.
   build-openssl:
-    needs:
-      - build-aarch64-linux-v8
-      - collect-openssl-versions
+    needs: build-aarch64-linux-v8
     strategy:
       fail-fast: false
       matrix:
-        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
-    name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
+        openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }}
+    name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}'
     runs-on: ubuntu-24.04-arm
-    continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
+    continue-on-error: false
     env:
       OPENSSL_ATTR: ${{ matrix.openssl.attr }}
-      OPENSSL_VERSION: ${{ matrix.openssl.version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -293,5 +283,5 @@ jobs:
           extra-nix-flags: |
             --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8)"' || 'true' }} \
             --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
-                openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR;
+                openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR;
               }" \

tools/dep_updaters/update-nixpkgs-pin.sh

@@ -5,7 +5,7 @@ set -ex
 
 BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 NIXPKGS_PIN_FILE="$BASE_DIR/tools/nix/pkgs.nix"
-OPENSSL_MATRIX_FILE="$BASE_DIR/tools/nix/openssl-matrix.json"
+OPENSSL_MATRIX_FILE="$BASE_DIR/tools/nix/openssl-matrix.nix"
 
 NIXPKGS_REPO=$(grep 'repo =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
 CURRENT_VERSION_SHA1=$(grep 'rev =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
@@ -26,7 +26,7 @@ TMP_FILE=$(mktemp)
 sed "s/$CURRENT_VERSION_SHA1/$NEW_UPSTREAM_SHA1/;s/$CURRENT_TARBALL_HASH/$NEW_TARBALL_HASH/" "$NIXPKGS_PIN_FILE" > "$TMP_FILE"
 mv "$TMP_FILE" "$NIXPKGS_PIN_FILE"
 
-"$BASE_DIR/tools/nix/collect-openssl-matrix.sh" | jq . > "$OPENSSL_MATRIX_FILE"
+"$BASE_DIR/tools/nix/collect-openssl-matrix.sh" > "$OPENSSL_MATRIX_FILE"
 
 cat -<<EOF
 All done!

tools/nix/collect-openssl-matrix.sh

@@ -24,42 +24,34 @@ here=$(cd -- "$(dirname -- "$0")" && pwd)
 #    repo-pinned nixpkgs. `tryEval` skips aliases that raise (e.g.
 #    `openssl_3_0` → renamed to `openssl_3`) so we only keep attributes
 #    that resolve to a real derivation with a `.version`.
-nix_json=$(nix-instantiate --eval --strict --json -E "
+nix-instantiate --eval --strict --json -E "
   let
     pkgs = import $here/pkgs.nix {};
-    names = builtins.filter
-      (n: builtins.match \"openssl_[0-9]+(_[0-9]+)?\" n != null)
-      (builtins.attrNames pkgs);
-    safe = builtins.filter (n:
-      let t = builtins.tryEval pkgs.\${n}; in
-      t.success && (builtins.tryEval t.value.version).success) names;
-  in map (n: { attr = n; version = pkgs.\${n}.version; }) safe
-")
+    attrs = builtins.filter
+      (n:
+        let t = builtins.tryEval pkgs.\${n}; in
+        t.success && (builtins.tryEval t.value.version).success
+      )
+      (
+        builtins.filter
+          (n: builtins.match \"openssl_[0-9]+(_[0-9]+)?\" n != null)
+          (builtins.attrNames pkgs)
+      );
+  in
+  {
+    inherit attrs;
+    permittedInsecurePackages = builtins.map (attr: pkgs.\${attr}.name) (
+      builtins.filter (attr: (pkgs.\${attr}.meta.insecure)) attrs
+    );
+  }
+" | jq -r '"{
+  pkgs ? import ./pkgs.nix {
+    config.permittedInsecurePackages = [ \(.permittedInsecurePackages | map(@json) | join(" ")) ];
+  },
+}:
 
-# 2. Fetch OpenSSL release versions from endoflife.date, keep entries that
-#    are either not past EOL or still under extended support, then pick the
-#    first nix attr whose `.version` starts with the release version
-#    followed by `.` / letter / end-of-string (so "3.6" matches "3.6.1",
-#    "1.1.1" matches "1.1.1w", and "1.1" does NOT swallow "1.1.1").
-#    Releases without a matching nix attr are dropped.
-curl -sf https://endoflife.date/api/openssl.json \
-  | jq -c \
-      --argjson nix "$nix_json" \
-      --arg supported "$SUPPORTED_OPENSSL_VERSION" '
-    (now | strftime("%Y-%m-%d")) as $today |
-    # Compare OpenSSL major.minor cycles as numeric tuples.
-    def cycle_tuple($v):
-      ($v | split(".") | map(tonumber));
-    [ .[]
-      | select(.eol == false or .eol > $today or .extendedSupport == true)
-      | .cycle as $v
-      | ($nix
-          | map(select(.version | test("^" + ($v | gsub("\\."; "\\.")) + "([.a-z]|$)")))
-          | first) as $m
-      | select($m != null)
-      | {
-          version: $m.version,
-          attr: $m.attr,
-          "continue-on-error": (cycle_tuple($v) > cycle_tuple($supported))
-        }
-    ]'
+{
+  inherit (pkgs)
+    \(.attrs | join("\n    "))
+    ;
+}"'

tools/nix/openssl-matrix.json

@@ -0,0 +1,15 @@
+{
+  pkgs ? import ./pkgs.nix {
+    config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+  },
+}:
+
+{
+  inherit (pkgs)
+    openssl_1_1
+    openssl_3
+    openssl_3_5
+    openssl_3_6
+    openssl_4_0
+    ;
+}

tools/nix/openssl-matrix.nix

@@ -48,7 +48,7 @@
   ffi = pkgs.libffiReal;
 })
 // (pkgs.lib.optionalAttrs withSSL ({
-  openssl = pkgs.openssl_3_5;
+  openssl = (import ./openssl-matrix.nix { inherit pkgs; }).openssl_3_5;
 }))
 // (pkgs.lib.optionalAttrs withTemporal {
   inherit (pkgs) temporal_capi;