Skip to content

tools: add non-default OpenSSL versions to the test-shared workflow#62862

Open
panva wants to merge 3 commits intonodejs:mainfrom
panva:additional-openssl-in-shared
Open

tools: add non-default OpenSSL versions to the test-shared workflow#62862
panva wants to merge 3 commits intonodejs:mainfrom
panva:additional-openssl-in-shared

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented Apr 21, 2026
edited
Loading

Adds an additional OpenSSL shared-libraries matrix to test-shared.yml so PRs run against additional supported OpenSSL releases. No more waiting for a full CI to find out a crypto/TLS change is broken on another version 🙏.

  • build-openssl now uses a committed matrix in test-shared.yml, regenerated by the existing weekly nixpkgs-unstable updater so the pin bump and tested OpenSSL variants stay in sync in a single PR.
  • The updater derives the matrix from the pinned nixpkgs and https://endoflife.date, dropping EOL versions, versions missing from the pinned nixpkgs, while keeping ones that still have extended support such as 1.1.1.
  • SUPPORTED_OPENSSL_VERSION remains a manually maintained value in tools/nix/collect-openssl-matrix.sh, and drives per-entry continue-on-error in the autogenerated matrix so releases newer than what we explicitly support do not fail GHA.

@panva panva requested a review from aduh95 April 21, 2026 08:27
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 21, 2026

Review requested:

  • @nodejs/actions

@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Apr 21, 2026
@panva panva added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. dont-land-on-v25.x PRs that should not land on the v25.x-staging branch and should not be released in v25.x. labels Apr 21, 2026
@panva panva marked this pull request as ready for review April 21, 2026 11:32
@aduh95
Copy link
Copy Markdown
Contributor

aduh95 commented Apr 21, 2026

Adding extra GHA workflows comes at the expense of spending more minutes to prepare security releases. We can skip the test-shared workflow on the private repo, but idk if it's worth it given that there are some path that we only run on that workflow.
That being said, there's certainly some value to run more variants on GHA, maybe we need to gate them behind github.repository == 'nodejs/node'

aduh95
aduh95 reviewed Apr 21, 2026
View reviewed changes
Comment thread tools/nix/collect-openssl-matrix.sh Outdated
aduh95
aduh95 reviewed Apr 21, 2026
View reviewed changes
Comment thread .github/actions/build-shared/action.yml
@panva
Copy link
Copy Markdown
Member Author

panva commented Apr 21, 2026

but idk if it's worth it given that there are some path that we only run on that workflow

The OpenSSL versions are a big gap. Since we don't/can't keep up with the versions in CI.

aduh95
aduh95 reviewed Apr 21, 2026
View reviewed changes
Comment thread .github/workflows/test-shared.yml Outdated
aduh95
aduh95 reviewed Apr 21, 2026
View reviewed changes
Comment thread .github/workflows/test-shared.yml
@panva panva force-pushed the additional-openssl-in-shared branch from 8bab015 to 1311e12 Compare April 22, 2026 15:40
@panva panva requested a review from richardlau April 22, 2026 15:41
aduh95
aduh95 reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/test-shared.yml Outdated
aduh95
aduh95 reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/test-shared.yml
@aduh95
Copy link
Copy Markdown
Contributor

aduh95 commented Apr 25, 2026

I did another pass at this PR, and tested aduh95@a01a6ef. Could you have a look, and feel free to pull it and/or adapt from it

@panva panva force-pushed the additional-openssl-in-shared branch from bc5e7eb to 85900e8 Compare April 25, 2026 20:22
@panva
Copy link
Copy Markdown
Member Author

panva commented Apr 25, 2026
edited
Loading

@aduh95 looks great, i pulled it in and lint-fixed it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anonrig anonrig anonrig approved these changes

@aduh95 aduh95 aduh95 approved these changes

@richardlau richardlau Awaiting requested review from richardlau

Assignees

No one assigned

Labels

commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. dont-land-on-v25.x PRs that should not land on the v25.x-staging branch and should not be released in v25.x. meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@panva @nodejs-github-bot @aduh95 @anonrig