let the updater drive the matrix in the workflow

Author: panva

.github/workflows/test-shared.yml

@@ -106,6 +106,9 @@ concurrency:
 
 env:
   FLAKY_TESTS: keep_retrying
+  # Latest OpenSSL major.minor cycle we support running tests with.
+  # The nixpkgs updater regenerates the OpenSSL matrix using this value.
+  SUPPORTED_OPENSSL_VERSION: '4.0'
 
 permissions:
   contents: read
@@ -166,33 +169,6 @@ jobs:
           system: ${{ matrix.system }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-  # Builds the matrix for the `build-openssl` job. The logic lives in
-  # tools/nix/collect-openssl-matrix.sh.
-  # Output shape:
-  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
-  collect-openssl-versions:
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-slim
-    outputs:
-      matrix: ${{ steps.query.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-          sparse-checkout: tools/nix
-          sparse-checkout-cone-mode: false
-      - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe  # v31.10.3
-        with:
-          extra_nix_config: sandbox = true
-      - id: query
-        env:
-          # Latest OpenSSL release we support running tests with. Anything
-          # newer runs with continue-on-error in `build-openssl`.
-          SUPPORTED_OPENSSL_VERSION: '4.0'
-        run: |
-          matrix=$(./tools/nix/collect-openssl-matrix.sh)
-          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
-
   # Builds and tests Node.js with shared libraries against every supported
   # OpenSSL release version available in the repo-pinned nixpkgs. The default
   # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix
@@ -201,11 +177,24 @@ jobs:
   build-openssl:
     needs:
       - build-tarball
-      - collect-openssl-versions
     strategy:
       fail-fast: false
       matrix:
-        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
+        openssl:
+          # BEGIN_OPENSSL_MATRIX (autogenerated by tools/dep_updaters/update-nixpkgs-pin.sh)
+          - version: 4.0.0
+            attr: openssl_4_0
+            continue-on-error: false
+          - version: 3.6.1
+            attr: openssl_3_6
+            continue-on-error: false
+          - version: 3.0.19
+            attr: openssl_3
+            continue-on-error: false
+          - version: 1.1.1w
+            attr: openssl_1_1
+            continue-on-error: false
+          # END_OPENSSL_MATRIX
     name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
     runs-on: ubuntu-24.04-arm
     continue-on-error: ${{ matrix.openssl['continue-on-error'] }}

tools/dep_updaters/update-nixpkgs-pin.sh

@@ -5,6 +5,7 @@ set -ex
 
 BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 NIXPKGS_PIN_FILE="$BASE_DIR/tools/nix/pkgs.nix"
+TEST_SHARED_WORKFLOW_FILE="$BASE_DIR/.github/workflows/test-shared.yml"
 
 NIXPKGS_REPO=$(grep 'repo =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
 CURRENT_VERSION_SHA1=$(grep 'rev =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
@@ -25,12 +26,66 @@ TMP_FILE=$(mktemp)
 sed "s/$CURRENT_VERSION_SHA1/$NEW_UPSTREAM_SHA1/;s/$CURRENT_TARBALL_HASH/$NEW_TARBALL_HASH/" "$NIXPKGS_PIN_FILE" > "$TMP_FILE"
 mv "$TMP_FILE" "$NIXPKGS_PIN_FILE"
 
+SUPPORTED_OPENSSL_VERSION=$(sed -nE "s/^[[:space:]]*SUPPORTED_OPENSSL_VERSION:[[:space:]]*'([^']+)'[[:space:]]*$/\1/p" "$TEST_SHARED_WORKFLOW_FILE" | head -n1)
+
+if [ -z "$SUPPORTED_OPENSSL_VERSION" ]; then
+	echo "Could not resolve SUPPORTED_OPENSSL_VERSION from $TEST_SHARED_WORKFLOW_FILE" >&2
+	exit 1
+fi
+
+OPENSSL_MATRIX_BLOCK=$("$BASE_DIR/tools/nix/collect-openssl-matrix.sh" | jq -r --arg supported "$SUPPORTED_OPENSSL_VERSION" '
+	# Compare OpenSSL major.minor cycles as numeric tuples.
+	def cycle_tuple($v):
+		($v | capture("^(?<cycle>[0-9]+\\.[0-9]+)").cycle | split(".") | map(tonumber));
+	[
+		"          # BEGIN_OPENSSL_MATRIX (autogenerated by tools/dep_updaters/update-nixpkgs-pin.sh)",
+		(
+			.[]
+			| "          - version: \(.version)\n            attr: \(.attr)\n            continue-on-error: \(cycle_tuple(.version) > cycle_tuple($supported))"
+		),
+		"          # END_OPENSSL_MATRIX"
+	]
+	| join("\n")
+')
+
+if ! grep -q "BEGIN_OPENSSL_MATRIX" "$TEST_SHARED_WORKFLOW_FILE"; then
+	echo "Could not find BEGIN_OPENSSL_MATRIX marker in $TEST_SHARED_WORKFLOW_FILE" >&2
+	exit 1
+fi
+
+if ! grep -q "END_OPENSSL_MATRIX" "$TEST_SHARED_WORKFLOW_FILE"; then
+	echo "Could not find END_OPENSSL_MATRIX marker in $TEST_SHARED_WORKFLOW_FILE" >&2
+	exit 1
+fi
+
+TMP_WORKFLOW_FILE=$(mktemp)
+TMP_BLOCK_FILE=$(mktemp)
+printf '%s\n' "$OPENSSL_MATRIX_BLOCK" > "$TMP_BLOCK_FILE"
+
+awk -v block_file="$TMP_BLOCK_FILE" '
+	/BEGIN_OPENSSL_MATRIX/ {
+		while ((getline line < block_file) > 0) {
+			print line;
+		}
+		close(block_file);
+		in_block = 1;
+		next;
+	}
+	/END_OPENSSL_MATRIX/ {
+		in_block = 0;
+		next;
+	}
+	!in_block { print }
+' "$TEST_SHARED_WORKFLOW_FILE" > "$TMP_WORKFLOW_FILE"
+mv "$TMP_WORKFLOW_FILE" "$TEST_SHARED_WORKFLOW_FILE"
+rm -f "$TMP_BLOCK_FILE"
+
 cat -<<EOF
 All done!
 
 Please git add and commit the new version:
 
-$ git add $NIXPKGS_PIN_FILE
+$ git add $NIXPKGS_PIN_FILE $TEST_SHARED_WORKFLOW_FILE
 $ git commit -m 'tools: bump nixpkgs-unstable pin to $NEW_VERSION'
 EOF
 

tools/nix/collect-openssl-matrix.sh

@@ -1,23 +1,19 @@
 #!/bin/sh
 #
-# Emits a JSON matrix of OpenSSL releases to test Node.js against with
-# shared libraries, consumed by the `build-openssl` job in
-# .github/workflows/test-shared.yml.
+# Emits the JSON source data of OpenSSL releases to test Node.js against with
+# shared libraries.
 #
-# Inputs (env):
-#   SUPPORTED_OPENSSL_VERSION  Latest OpenSSL release we support running
-#                              tests with. Anything newer is emitted with
-#                              "continue-on-error": true.
+# This helper is used by tools/dep_updaters/update-nixpkgs-pin.sh to
+# regenerate the autogenerated OpenSSL matrix block in
+# .github/workflows/test-shared.yml.
 #
 # Output (stdout): a JSON array with shape
-#   [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
+#   [{ "version": "3.6.1", "attr": "openssl_3_6" }, ...]
 #
-# Usage: SUPPORTED_OPENSSL_VERSION=4.0 ./tools/nix/collect-openssl-matrix.sh
+# Usage: ./tools/nix/collect-openssl-matrix.sh
 
 set -eu
 
-: "${SUPPORTED_OPENSSL_VERSION:?SUPPORTED_OPENSSL_VERSION must be set}"
-
 here=$(cd -- "$(dirname -- "$0")" && pwd)
 
 # 1. Enumerate every `openssl_N` / `openssl_N_M` attribute exposed by the
@@ -53,17 +49,8 @@ default_openssl_version=$(nix-instantiate --eval --strict --json -E "
 curl -sf https://endoflife.date/api/openssl.json \
   | jq -c \
       --argjson nix "$nix_json" \
-      --arg supported "$SUPPORTED_OPENSSL_VERSION" \
       --arg default_version "$default_openssl_version" '
     (now | strftime("%Y-%m-%d")) as $today |
-    # Compare two dotted version strings as arrays of numbers
-    # (e.g. "4.1" > "4.0" => true, "4.0" > "4.0" => false).
-    def gt($a; $b):
-      ([$a, $b] | map(split(".") | map(tonumber))) as [$x, $y]
-      | ($x | length) as $n | ($y | length) as $m
-      | [range(0; if $n > $m then $n else $m end)
-          | ((($x[.]) // 0) - (($y[.]) // 0))]
-      | map(select(. != 0)) | (.[0] // 0) > 0;
     [ .[]
       | select(.eol == false or .eol > $today or .extendedSupport == true)
       | .cycle as $v
@@ -72,5 +59,5 @@ curl -sf https://endoflife.date/api/openssl.json \
           | first) as $m
       | select($m != null)
       | select($m.version != $default_version)
-      | { version: $m.version, attr: $m.attr, "continue-on-error": gt($v; $supported) }
+      | { version: $m.version, attr: $m.attr }
     ]'