Use severity: ABI changed label instead of CI failure for ABIDIFF

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22901)
2025-04-06 20:20:50 +08:00 · 2023-12-01 16:02:35 +01:00 · 2023-12-01 16:02:35 +01:00 · 5cd004222d
commit 5cd004222d
parent 7ebaab7689
5 changed files with 107 additions and 82956 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -283,7 +283,7 @@ jobs:
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

-  full_feat_w_abidiff:
+  full_featured:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
@ -298,25 +298,13 @@ jobs:
    - name: install extra config support
      run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
    - name: config
-      run: ./config --banner=Configured -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
-    - name: Check ABI compatibility for libcrypto
-      run: |
-        if ! abidiff ./.github/workflows/libcrypto-abi.xml ./libcrypto.so ; then
-          abidw --out-file libcrypto-abi-new.xml ./libcrypto.so
-          diff -u ./.github/workflows/libcrypto-abi.xml libcrypto-abi-new.xml
-        fi
-    - name: Check ABI compatibility for libssl
-      run: |
-        if ! abidiff ./.github/workflows/libssl-abi.xml ./libssl.so ; then
-          abidw --out-file libssl-abi-new.xml ./libssl.so
-          diff -u ./.github/workflows/libssl-abi.xml libssl-abi-new.xml
-        fi
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

--- a/.github/workflows/fips-checksums.yml
+++ b/.github/workflows/fips-checksums.yml
@ -5,7 +5,7 @@
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html

-name: FIPS Checksums
+name: FIPS Check and ABIDIFF
 on: [pull_request]

 permissions:
@ -73,3 +73,47 @@ jobs:
        with:
          name: fips_checksum
          path: artifact/
+
+  compute-abidiff:
+    runs-on: ubuntu-latest
+    env:
+      BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd
+    steps:
+      - name: create build dirs
+        run: |
+          mkdir ./build-pristine
+          mkdir ./source-pristine
+          mkdir ./build
+          mkdir ./source
+          mkdir ./artifact
+      - name: install extra config support
+        run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.base.repo.full_name }}
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: source-pristine
+      - name: config pristine
+        run: ../source-pristine/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
+        working-directory: ./build-pristine
+      - name: make pristine
+        run: make -s -j4
+        working-directory: ./build-pristine
+      - uses: actions/checkout@v4
+        with:
+          path: source
+      - name: config
+        run: ../source/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
+        working-directory: ./build
+      - name: make
+        run: make -s -j4
+        working-directory: ./build
+      - name: abidiff
+        run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED )
+      - name: save PR number
+        run: echo ${{ github.event.number }} > ./artifact/pr_num
+      - name: save artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: abidiff
+          path: artifact/
--- a/.github/workflows/fips-label.yml
+++ b/.github/workflows/fips-label.yml
@ -5,10 +5,10 @@
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html

-name: FIPS Changed Label
+name: FIPS and ABI Changed Label
 on:
  workflow_run:
-    workflows: ["FIPS Checksums"]
+    workflows: ["FIPS Check and ABIDIFF"]
    types:
      - completed

@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.event == 'pull_request' }}
    steps:
-      - name: 'Download artifact'
+      - name: 'Download fipscheck artifact'
        if: ${{ github.event.workflow_run.conclusion == 'success' }}
        uses: actions/github-script@v7
        with:
@ -79,3 +79,60 @@ jobs:
                }
              }
            }
+
+      - name: 'Download abidiff artifact'
+        if: ${{ github.event.workflow_run.conclusion == 'success' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "abidiff"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
+      - run: unzip artifact.zip
+        if: ${{ github.event.workflow_run.conclusion == 'success' }}
+      - name: 'Check artifact and apply'
+        if: ${{ github.event.workflow_run.conclusion == 'success' }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            var fs = require('fs');
+            var pr_num = Number(fs.readFileSync('./pr_num'));
+            if ( fs.existsSync('./abi_changed') ) {
+              github.rest.issues.addLabels({
+                issue_number: pr_num,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: ['severity: ABI change']
+              });
+            } else if ( fs.existsSync('./abi_unchanged') ) {
+              var labels = await github.rest.issues.listLabelsOnIssue({
+                issue_number: pr_num,
+                owner: context.repo.owner,
+                repo: context.repo.repo
+              });
+
+              for ( var label in labels.data ) {
+                if (labels.data[label].name == 'severity: ABI change') {
+                  github.rest.issues.removeLabel({
+                    issue_number: pr_num,
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: 'severity: fips change'
+                  });
+                }
+              }
+            }
--- a/.github/workflows/libcrypto-abi.xml
+++ b/.github/workflows/libcrypto-abi.xml
--- a/.github/workflows/libssl-abi.xml
+++ b/.github/workflows/libssl-abi.xml