bring collect-openssl-versions back but simpler

panva · panva · commit bc5e7ebdb1b7 · 2026-04-23T00:07:19.000+02:00
diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml
@@ -169,6 +169,25 @@ jobs:
           system: ${{ matrix.system }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
+  # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json.
+  # Output shape:
+  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
+  collect-openssl-versions:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-slim
+    outputs:
+      matrix: ${{ steps.query.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: tools/nix
+          sparse-checkout-cone-mode: false
+      - id: query
+        run: |
+          matrix=$(jq -c . tools/nix/openssl-matrix.json)
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
   # Builds and tests Node.js with shared libraries against every supported
   # OpenSSL release version available in the repo-pinned nixpkgs. The default
   # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix
@@ -177,24 +196,11 @@ jobs:
   build-openssl:
     needs:
       - build-tarball
+      - collect-openssl-versions
     strategy:
       fail-fast: false
       matrix:
-        openssl:
-          # BEGIN_OPENSSL_MATRIX (autogenerated by tools/dep_updaters/update-nixpkgs-pin.sh)
-          - version: 4.0.0
-            attr: openssl_4_0
-            continue-on-error: false
-          - version: 3.6.1
-            attr: openssl_3_6
-            continue-on-error: false
-          - version: 3.0.19
-            attr: openssl_3
-            continue-on-error: false
-          - version: 1.1.1w
-            attr: openssl_1_1
-            continue-on-error: false
-    # END_OPENSSL_MATRIX
+        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
     name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
     runs-on: ubuntu-24.04-arm
     continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
diff --git a/tools/dep_updaters/update-nixpkgs-pin.sh b/tools/dep_updaters/update-nixpkgs-pin.sh
@@ -5,6 +5,7 @@ set -ex
 
 BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 NIXPKGS_PIN_FILE="$BASE_DIR/tools/nix/pkgs.nix"
+OPENSSL_MATRIX_FILE="$BASE_DIR/tools/nix/openssl-matrix.json"
 TEST_SHARED_WORKFLOW_FILE="$BASE_DIR/.github/workflows/test-shared.yml"
 
 NIXPKGS_REPO=$(grep 'repo =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
@@ -33,59 +34,15 @@ if [ -z "$SUPPORTED_OPENSSL_VERSION" ]; then
 	exit 1
 fi
 
-OPENSSL_MATRIX_BLOCK=$("$BASE_DIR/tools/nix/collect-openssl-matrix.sh" | jq -r --arg supported "$SUPPORTED_OPENSSL_VERSION" '
-	# Compare OpenSSL major.minor cycles as numeric tuples.
-	def cycle_tuple($v):
-		($v | capture("^(?<cycle>[0-9]+\\.[0-9]+)").cycle | split(".") | map(tonumber));
-	[
-		"          # BEGIN_OPENSSL_MATRIX (autogenerated by tools/dep_updaters/update-nixpkgs-pin.sh)",
-		(
-			.[]
-			| "          - version: \(.version)\n            attr: \(.attr)\n            continue-on-error: \(cycle_tuple(.version) > cycle_tuple($supported))"
-		),
-		"    # END_OPENSSL_MATRIX"
-	]
-	| join("\n")
-')
-
-if ! grep -q "BEGIN_OPENSSL_MATRIX" "$TEST_SHARED_WORKFLOW_FILE"; then
-	echo "Could not find BEGIN_OPENSSL_MATRIX marker in $TEST_SHARED_WORKFLOW_FILE" >&2
-	exit 1
-fi
-
-if ! grep -q "END_OPENSSL_MATRIX" "$TEST_SHARED_WORKFLOW_FILE"; then
-	echo "Could not find END_OPENSSL_MATRIX marker in $TEST_SHARED_WORKFLOW_FILE" >&2
-	exit 1
-fi
-
-TMP_WORKFLOW_FILE=$(mktemp)
-TMP_BLOCK_FILE=$(mktemp)
-printf '%s\n' "$OPENSSL_MATRIX_BLOCK" > "$TMP_BLOCK_FILE"
-
-awk -v block_file="$TMP_BLOCK_FILE" '
-	/BEGIN_OPENSSL_MATRIX/ {
-		while ((getline line < block_file) > 0) {
-			print line;
-		}
-		close(block_file);
-		in_block = 1;
-		next;
-	}
-	/END_OPENSSL_MATRIX/ {
-		in_block = 0;
-		next;
-	}
-	!in_block { print }
-' "$TEST_SHARED_WORKFLOW_FILE" > "$TMP_WORKFLOW_FILE"
-mv "$TMP_WORKFLOW_FILE" "$TEST_SHARED_WORKFLOW_FILE"
-rm -f "$TMP_BLOCK_FILE"
+SUPPORTED_OPENSSL_VERSION="$SUPPORTED_OPENSSL_VERSION" \
+	"$BASE_DIR/tools/nix/collect-openssl-matrix.sh" | jq . > "$OPENSSL_MATRIX_FILE"
 
 cat -<<EOF
 All done!
 
 Please git add and commit the new version:
 
-$ git add $NIXPKGS_PIN_FILE $TEST_SHARED_WORKFLOW_FILE
+$ git add $NIXPKGS_PIN_FILE $OPENSSL_MATRIX_FILE
 $ git commit -m 'tools: bump nixpkgs-unstable pin to $NEW_VERSION'
 EOF
 
diff --git a/tools/nix/collect-openssl-matrix.sh b/tools/nix/collect-openssl-matrix.sh
@@ -4,16 +4,22 @@
 # shared libraries.
 #
 # This helper is used by tools/dep_updaters/update-nixpkgs-pin.sh to
-# regenerate the autogenerated OpenSSL matrix block in
-# .github/workflows/test-shared.yml.
+# regenerate tools/nix/openssl-matrix.json.
+#
+# Inputs (env):
+#   SUPPORTED_OPENSSL_VERSION  Latest OpenSSL major.minor cycle we support
+#                              running tests with. Newer cycles are emitted
+#                              with "continue-on-error": true.
 #
 # Output (stdout): a JSON array with shape
-#   [{ "version": "3.6.1", "attr": "openssl_3_6" }, ...]
+#   [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
 #
-# Usage: ./tools/nix/collect-openssl-matrix.sh
+# Usage: SUPPORTED_OPENSSL_VERSION=4.0 ./tools/nix/collect-openssl-matrix.sh
 
 set -eu
 
+: "${SUPPORTED_OPENSSL_VERSION:?SUPPORTED_OPENSSL_VERSION must be set}"
+
 here=$(cd -- "$(dirname -- "$0")" && pwd)
 
 # 1. Enumerate every `openssl_N` / `openssl_N_M` attribute exposed by the
@@ -49,8 +55,12 @@ default_openssl_version=$(nix-instantiate --eval --strict --json -E "
 curl -sf https://endoflife.date/api/openssl.json \
   | jq -c \
       --argjson nix "$nix_json" \
+      --arg supported "$SUPPORTED_OPENSSL_VERSION" \
       --arg default_version "$default_openssl_version" '
     (now | strftime("%Y-%m-%d")) as $today |
+    # Compare OpenSSL major.minor cycles as numeric tuples.
+    def cycle_tuple($v):
+      ($v | split(".") | map(tonumber));
     [ .[]
       | select(.eol == false or .eol > $today or .extendedSupport == true)
       | .cycle as $v
@@ -59,5 +69,9 @@ curl -sf https://endoflife.date/api/openssl.json \
           | first) as $m
       | select($m != null)
       | select($m.version != $default_version)
-      | { version: $m.version, attr: $m.attr }
+      | {
+          version: $m.version,
+          attr: $m.attr,
+          "continue-on-error": (cycle_tuple($v) > cycle_tuple($supported))
+        }
     ]'
diff --git a/tools/nix/openssl-matrix.json b/tools/nix/openssl-matrix.json
@@ -0,0 +1,22 @@
+[
+  {
+    "version": "4.0.0",
+    "attr": "openssl_4_0",
+    "continue-on-error": false
+  },
+  {
+    "version": "3.6.1",
+    "attr": "openssl_3_6",
+    "continue-on-error": false
+  },
+  {
+    "version": "3.0.19",
+    "attr": "openssl_3",
+    "continue-on-error": false
+  },
+  {
+    "version": "1.1.1w",
+    "attr": "openssl_1_1",
+    "continue-on-error": false
+  }
+]
