Skip to content

Commit 6c59083

Browse files
marco-ippolitoRafaelGSS
marco-ippolito
authored and
RafaelGSS
committed
tools: automate update openssl v16
PR-URL: #48377 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
1 parent 2f0f403 commit 6c59083

File tree

2 files changed

+150
-37
lines changed

2 files changed

+150
-37
lines changed

.github/workflows/update-openssl.yml

Lines changed: 57 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -10,35 +10,23 @@ permissions:
1010
contents: read
1111

1212
jobs:
13-
openssl-update:
13+
openssl-v3-update:
1414
if: github.repository == 'nodejs/node'
1515
runs-on: ubuntu-latest
1616
steps:
1717
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
1818
with:
1919
persist-credentials: false
20-
- name: Check if update branch already exists
21-
run: |
22-
BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)
23-
echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV
2420
- name: Check and download new OpenSSL version
25-
# Only run rest of the workflow if the update branch does not yet exist
26-
if: ${{ env.BRANCH_EXISTS == '' }}
2721
run: |
28-
NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1)
29-
NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac)
30-
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
31-
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p" | sed 's/+/-/g')
32-
echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1"
33-
if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then
34-
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
35-
echo "HAS_UPDATE=true" >> $GITHUB_ENV
36-
./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"
37-
fi
22+
./tools/dep_updaters/update-openssl.sh download_v3 > temp-output
23+
cat temp-output
24+
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
25+
rm temp-output
3826
env:
3927
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
4028
- name: Create PR with first commit
41-
if: env.HAS_UPDATE
29+
if: env.NEW_VERSION
4230
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
4331
# Creates a PR with the new OpenSSL source code committed
4432
env:
@@ -53,15 +41,15 @@ jobs:
5341
path: deps/openssl
5442
update-pull-request-title-and-body: true
5543
- name: Regenerate platform specific files
56-
if: env.HAS_UPDATE
44+
if: env.NEW_VERSION
5745
run: |
5846
sudo apt install -y nasm libtext-template-perl
5947
./tools/dep_updaters/update-openssl.sh regenerate
6048
env:
6149
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
6250
- name: Add second commit
6351
# Adds a second commit to the PR with the generated platform-dependent files
64-
if: env.HAS_UPDATE
52+
if: env.NEW_VERSION
6553
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
6654
env:
6755
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
@@ -70,3 +58,52 @@ jobs:
7058
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
7159
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
7260
path: deps/openssl
61+
openssl-v1-update:
62+
if: github.repository == 'nodejs/node'
63+
runs-on: ubuntu-latest
64+
steps:
65+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
66+
with:
67+
persist-credentials: false
68+
ref: v16.x-staging
69+
- name: Check and download new OpenSSL version
70+
run: |
71+
./tools/dep_updaters/update-openssl.sh download_v1 > temp-output
72+
cat temp-output
73+
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
74+
rm temp-output
75+
env:
76+
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
77+
- name: Create PR with first commit
78+
if: env.NEW_VERSION
79+
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
80+
# Creates a PR with the new OpenSSL source code committed
81+
env:
82+
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
83+
with:
84+
author: Node.js GitHub Bot <github-bot@iojs.org>
85+
body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
86+
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
87+
commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
88+
labels: dependencies
89+
title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}'
90+
path: deps/openssl
91+
update-pull-request-title-and-body: true
92+
- name: Regenerate platform specific files
93+
if: env.NEW_VERSION
94+
run: |
95+
sudo apt install -y nasm libtext-template-perl
96+
./tools/dep_updaters/update-openssl.sh regenerate
97+
env:
98+
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
99+
- name: Add second commit
100+
# Adds a second commit to the PR with the generated platform-dependent files
101+
if: env.NEW_VERSION
102+
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
103+
env:
104+
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
105+
with:
106+
author: Node.js GitHub Bot <github-bot@iojs.org>
107+
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
108+
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
109+
path: deps/openssl

tools/dep_updaters/update-openssl.sh

Lines changed: 93 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -9,45 +9,115 @@ cleanup() {
99
exit $EXIT_CODE
1010
}
1111

12-
download() {
13-
if [ -z "$1" ]; then
14-
echo "Error: please provide an OpenSSL version to update to"
15-
echo "e.g. ./$0 download 3.0.7+quic1"
16-
exit 1
17-
fi
12+
download_v1() {
13+
LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
14+
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1');
15+
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
16+
const releases = await res.json()
17+
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
18+
if(!latest) throw new Error(`Could not find latest release for v1`);
19+
console.log(latest.ref.replace('refs/tags/',''));
20+
EOF
21+
)"
22+
23+
NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g')
24+
25+
case "$NEW_VERSION_V1" in
26+
*quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;;
27+
*) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;;
28+
esac
1829

19-
OPENSSL_VERSION=$1
20-
echo "Making temporary workspace..."
21-
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
30+
VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h"
31+
CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1)
2232

23-
# shellcheck disable=SC1091
24-
. "$BASE_DIR/tools/dep_updaters/utils.sh"
33+
# This function exit with 0 if new version and current version are the same
34+
compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION"
2535

36+
echo "Making temporary workspace..."
37+
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
2638
cd "$WORKSPACE"
2739

2840
echo "Fetching OpenSSL source archive..."
29-
OPENSSL_TARBALL="openssl-v$OPENSSL_VERSION.tar.gz"
30-
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/openssl-$OPENSSL_VERSION"
41+
OPENSSL_TARBALL="openssl.tar.gz"
42+
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME"
3143
log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
3244
gzip -dc "$OPENSSL_TARBALL" | tar xf -
3345
rm "$OPENSSL_TARBALL"
46+
3447
mv quictls-openssl-* openssl
3548

3649
echo "Replacing existing OpenSSL..."
3750
rm -rf "$DEPS_DIR/openssl/openssl"
3851
mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"
52+
53+
echo "All done!"
54+
echo ""
55+
echo "Please git add openssl, and commit the new version:"
56+
echo ""
57+
echo "$ git add -A deps/openssl/openssl"
58+
echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
59+
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\""
60+
echo ""
61+
# The last line of the script should always print the new version,
62+
# as we need to add it to $GITHUB_ENV variable.
63+
echo "NEW_VERSION=$NEW_VERSION_V1"
64+
}
3965

40-
# Update the version number
41-
update_dependency_version "openssl" "$OPENSSL_VERSION"
66+
download_v3() {
67+
LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
68+
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0');
69+
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
70+
const releases = await res.json()
71+
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
72+
if(!latest) throw new Error(`Could not find latest release for v3.0`);
73+
console.log(latest.ref.replace('refs/tags/',''));
74+
EOF
75+
)"
76+
NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g')
77+
78+
case "$NEW_VERSION_V3" in
79+
*quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;;
80+
*) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;;
81+
esac
82+
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
83+
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
84+
# This function exit with 0 if new version and current version are the same
85+
compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION"
4286

87+
echo "Making temporary workspace..."
88+
89+
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
90+
91+
cd "$WORKSPACE"
92+
echo "Fetching OpenSSL source archive..."
93+
94+
OPENSSL_TARBALL="openssl.tar.gz"
95+
96+
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME"
97+
98+
log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
99+
100+
gzip -dc "$OPENSSL_TARBALL" | tar xf -
101+
102+
rm "$OPENSSL_TARBALL"
103+
mv quictls-openssl-* openssl
104+
echo "Replacing existing OpenSSL..."
105+
rm -rf "$DEPS_DIR/openssl/openssl"
106+
mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"
107+
108+
# Update the version number
109+
update_dependency_version "openssl" "$NEW_VERSION_V3"
43110
echo "All done!"
44111
echo ""
45112
echo "Please git add openssl, and commit the new version:"
46113
echo ""
47114
echo "$ git add -A deps/openssl/openssl"
48115
echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
49-
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$OPENSSL_VERSION\""
116+
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\""
50117
echo ""
118+
# The last line of the script should always print the new version,
119+
# as we need to add it to $GITHUB_ENV variable.
120+
echo "NEW_VERSION=$NEW_VERSION_V3"
51121
}
52122

53123
regenerate() {
@@ -94,8 +164,14 @@ main() {
94164
BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
95165
DEPS_DIR="$BASE_DIR/deps"
96166

167+
[ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
168+
[ -x "$NODE" ] || NODE=$(command -v node)
169+
170+
# shellcheck disable=SC1091
171+
. "$BASE_DIR/tools/dep_updaters/utils.sh"
172+
97173
case ${1} in
98-
help | download | regenerate )
174+
help | regenerate | download_v1 | download_v3 )
99175
$1 "${2}"
100176
;;
101177
* )

0 commit comments

Comments
 (0)