In the AEAD Cipher implementation, avoid copying input in doFinal when update was not called before. #2926

Workflow file for this run

	name: Continuous integration

	on:
	push:
	pull_request:
	schedule:
	# Run every day at midnight UTC
	- cron: '0 0 * * *'

	jobs:
	boringssl_clone:
	# This step ensures that all builders have the same version of BoringSSL
	runs-on: ubuntu-latest

	steps:
	- name: Clone BoringSSL repo
	run: \|
	git clone --depth 1 --filter=blob:none --no-checkout https://github.com/google/boringssl.git "${{ runner.temp }}/boringssl"
	echo Using BoringSSL commit: $(cd "${{ runner.temp }}/boringssl"; git rev-parse HEAD)

	- name: Archive BoringSSL source
	uses: actions/upload-artifact@v4
	with:
	name: boringssl-source
	path: ${{ runner.temp }}/boringssl
	retention-days: 1
	include-hidden-files: true
	if-no-files-found: error

	clang_format_check:
	# Only run on pull requests.
	if: ${{ startsWith(github.ref, 'refs/pull/') }}
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Get git-clang-format
	# Uses the most recent clang-format on Ubuntu.
	run: \|
	sudo apt-get -qq update
	sudo apt-get -qq install -y --no-install-recommends clang-format

	- name: Run git-clang-format against source branch
	run: \|
	git clang-format --style=file --diff origin/$GITHUB_BASE_REF '.c' '.h' '.cc' '.cpp' '*.java'

	build:
	needs: boringssl_clone

	strategy:
	fail-fast: false
	matrix:
	platform: [ubuntu-latest, macos-latest, windows-latest]
	include:
	- platform: ubuntu-latest
	tools_url: https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip
	- platform: macos-latest
	tools_url: https://dl.google.com/android/repository/commandlinetools-mac-9477386_latest.zip
	- platform: windows-latest
	tools_url: https://dl.google.com/android/repository/commandlinetools-win-9477386_latest.zip

	runs-on: ${{ matrix.platform }}

	steps:
	- name: Set up JDK 11 for toolchains
	uses: actions/setup-java@v4
	with:
	distribution: 'zulu'
	java-version: 11

	- name: Set runner-specific environment variables
	shell: bash
	run: \|
	echo "ANDROID_HOME=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
	echo "ANDROID_SDK_ROOT=${{ runner.temp }}/android-sdk" >> $GITHUB_ENV
	echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV
	echo "SDKMANAGER=${{ runner.temp }}/android-sdk/cmdline-tools/bin/sdkmanager" >> $GITHUB_ENV
	echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV

	- uses: actions/checkout@v4

	- name: Setup Linux environment
	if: runner.os == 'Linux'
	run: \|
	echo "CC=clang" >> $GITHUB_ENV
	echo "CXX=clang++" >> $GITHUB_ENV

	sudo dpkg --add-architecture i386
	sudo add-apt-repository ppa:openjdk-r/ppa
	sudo apt-get -qq update
	sudo apt-get -qq install -y --no-install-recommends \
	gcc-multilib \
	g++-multilib \
	ninja-build \
	openjdk-11-jre-headless

	- name: Setup macOS environment
	if: runner.os == 'macOS'
	run: \|
	brew update \|\| echo update failed
	brew install ninja \|\| echo update failed

	- name: Setup Windows environment
	if: runner.os == 'Windows'
	run: \|
	choco install nasm -y
	choco install ninja -y

	- name: Fetch BoringSSL source
	uses: actions/download-artifact@v4
	with:
	name: boringssl-source
	path: ${{ runner.temp }}/boringssl

	- name: Checkout BoringSSL master branch
	shell: bash
	run: \|
	cd "$BORINGSSL_HOME"
	git checkout --progress --force -B master

	- name: Build BoringSSL x86 and ARM MacOS
	if: runner.os == 'macOS'
	env:
	# For compatibility, but 10.15 target requires 16-byte stack alignment.
	MACOSX_DEPLOYMENT_TARGET: 10.13
	run: \|
	mkdir -p "$BORINGSSL_HOME/build.x86"
	pushd "$BORINGSSL_HOME/build.x86"
	cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=x86_64 -GNinja ..
	ninja
	popd

	mkdir -p "$BORINGSSL_HOME/build.arm"
	pushd "$BORINGSSL_HOME/build.arm"
	cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_ARCHITECTURES=arm64 -GNinja ..
	ninja
	popd

	- name: Build BoringSSL 64-bit Linux
	if: runner.os == 'Linux'
	run: \|
	mkdir -p "$BORINGSSL_HOME/build64"
	pushd "$BORINGSSL_HOME/build64"
	cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
	ninja
	popd

	- name: Set up MSVC paths on Windows
	if: runner.os == 'Windows'
	uses: ilammy/msvc-dev-cmd@v1
	with:
	arch: x64

	- name: Build BoringSSL 64-bit Windows
	if: runner.os == 'Windows'
	run: \|
	cd $Env:BORINGSSL_HOME
	mkdir build64
	pushd build64
	cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded -GNinja ..
	ninja
	popd

	- name: Setup Android environment
	shell: bash
	if: runner.os == 'Linux'
	run: \|
	cd "${{ runner.temp }}"
	curl -L "${{ matrix.tools_url }}" -o android-tools.zip
	mkdir -p "$ANDROID_HOME"
	unzip -q android-tools.zip -d "$ANDROID_HOME"
	yes \| "$SDKMANAGER" --sdk_root="$ANDROID_HOME" --licenses \|\| true
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" tools
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" platform-tools
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'build-tools;30.0.3'
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'platforms;android-26'
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'extras;android;m2repository'
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'ndk;25.2.9519653'
	"$SDKMANAGER" --sdk_root="$ANDROID_HOME" 'cmake;3.22.1'

	- name: Build with Gradle
	shell: bash
	run: ./gradlew assemble -PcheckErrorQueue

	- name: Test with Gradle
	shell: bash
	timeout-minutes: 15
	run: ./gradlew check -PcheckErrorQueue

	- name: Publish to local Maven repo
	shell: bash
	run: ./gradlew publishToMavenLocal -Dmaven.repo.local="$M2_REPO"

	- name: Upload Maven respository
	uses: actions/upload-artifact@v4
	with:
	name: m2repo-${{ runner.os }}
	path: ${{ runner.temp }}/m2

	- name: Build test JAR with dependencies
	if: runner.os == 'Linux'
	shell: bash
	run: ./gradlew :conscrypt-openjdk:testJar -PcheckErrorQueue

	- name: Upload test JAR with dependencies
	if: runner.os == 'Linux'
	uses: actions/upload-artifact@v4
	with:
	name: testjar
	path: openjdk/build/libs/conscrypt-openjdk-*-tests.jar
	if-no-files-found: error

	uberjar:
	needs: build

	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Setup Linux environment
	run: \|
	echo "CC=clang" >> $GITHUB_ENV
	echo "CXX=clang++" >> $GITHUB_ENV

	sudo dpkg --add-architecture i386
	sudo add-apt-repository ppa:openjdk-r/ppa
	sudo apt-get -qq update
	sudo apt-get -qq install -y --no-install-recommends \
	gcc-multilib \
	g++-multilib \
	ninja-build \
	openjdk-11-jre-headless

	- name: Set runner-specific environment variables
	shell: bash
	run: \|
	echo "M2_REPO=${{ runner.temp }}/m2" >> $GITHUB_ENV
	echo "BORINGSSL_HOME=${{ runner.temp }}/boringssl" >> $GITHUB_ENV

	- name: Fetch BoringSSL source
	uses: actions/download-artifact@v4
	with:
	name: boringssl-source
	path: ${{ runner.temp }}/boringssl

	- name: Checkout BoringSSL master branch
	shell: bash
	run: \|
	cd "$BORINGSSL_HOME"
	git checkout --progress --force -B master

	- name: Build BoringSSL 64-bit Linux
	run: \|
	mkdir -p "$BORINGSSL_HOME/build64"
	pushd "$BORINGSSL_HOME/build64"
	cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE -DCMAKE_BUILD_TYPE=Release -GNinja ..
	ninja
	popd

	# TODO(prb) remove build dependency above and go back to this.
	# - name: Make fake BoringSSL directories
	# shell: bash
	# run: \|
	# # TODO: remove this when the check is only performed when building.
	# # BoringSSL is not needed during the UberJAR build, but the
	# # assertion to check happens regardless of whether the project
	# # needs it.
	# mkdir -p "${{ runner.temp }}/boringssl/build64"
	# mkdir -p "${{ runner.temp }}/boringssl/include"

	- name: Download Maven repository for Linux
	uses: actions/download-artifact@v4
	with:
	name: m2repo-Linux
	path: ${{ runner.temp }}/m2

	- name: Download Maven repository for MacOS
	uses: actions/download-artifact@v4
	with:
	name: m2repo-macOS
	path: ${{ runner.temp }}/m2

	- name: Download Maven repository for Windows
	uses: actions/download-artifact@v4
	with:
	name: m2repo-Windows
	path: ${{ runner.temp }}/m2

	- name: Build UberJAR with Gradle
	shell: bash
	run: \|
	./gradlew :conscrypt-openjdk-uber:build -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"

	- name: Publish UberJAR to Maven Local
	shell: bash
	run: \|
	./gradlew :conscrypt-openjdk-uber:publishToMavenLocal -Dorg.conscrypt.openjdk.buildUberJar=true -Dmaven.repo.local="$M2_REPO"

	- name: Upload Maven respository
	uses: actions/upload-artifact@v4
	with:
	name: m2repo-uber
	path: ${{ runner.temp }}/m2

	openjdk-test:
	needs: uberjar

	strategy:
	fail-fast: false
	matrix:
	platform: [ubuntu-latest, macos-13, macos-latest, windows-latest]
	java: [8, 11, 17, 21]
	dist: ['temurin', 'zulu']
	include:
	- platform: ubuntu-latest
	separator: ':'
	- platform: macos-latest
	separator: ':'
	- platform: macos-13
	separator: ':'
	- platform: windows-latest
	separator: ';'
	exclude: # Not available on Github runners
	- platform: macos-latest
	java: 8
	dist: 'temurin'


	runs-on: ${{ matrix.platform }}

	steps:
	- name: Set up Java
	uses: actions/setup-java@v4
	with:
	distribution: ${{ matrix.dist }}
	java-version: ${{ matrix.java }}

	- name: Download UberJAR
	uses: actions/download-artifact@v4
	with:
	name: m2repo-uber
	path: m2

	- name: Download Test JAR with Dependencies
	uses: actions/download-artifact@v4
	with:
	name: testjar
	path: testjar

	- name: Download JUnit runner
	shell: bash
	run: mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:copy -Dartifact=org.junit.platform:junit-platform-console-standalone:1.11.2 -DoutputDirectory=. -Dmdep.stripVersion=true

	- name: Run JUnit tests
	timeout-minutes: 15
	shell: bash
	run: \|
	DIR="$(find m2/org/conscrypt/conscrypt-openjdk-uber -maxdepth 1 -mindepth 1 -type d -print)"
	VERSION="${DIR##*/}"
	TESTJAR="$(find testjar -name '*-tests.jar')"
	# SIGTERM handler, e.g. for when tests hang and time out.
	# Send SIGQUIT to test process to get thread dump, give it
	# a few seconds to complete and then kill it.
	dump_threads() {
	echo "Generating stack dump."
	ps -fp "$TESTPID"
	kill -QUIT "$TESTPID"
	sleep 3
	kill -KILL "$TESTPID"
	exit 1
	}
	java -jar junit-platform-console-standalone.jar execute -cp "$DIR/conscrypt-openjdk-uber-$VERSION.jar${{ matrix.separator }}$TESTJAR" -n='org.conscrypt.ConscryptOpenJdkSuite' --scan-classpath --reports-dir=results --fail-if-no-tests &
	case $(uname -s) in
	Darwin\|Linux)
	trap dump_threads SIGTERM SIGINT
	;;
	*)
	# TODO: Probably won't work on Windows but thread dumps
	# work there already.
	;;
	esac
	TESTPID=$!
	wait "$TESTPID"

	- name: Archive test results
	if: ${{ always() }}
	uses: actions/upload-artifact@v4
	with:
	name: test-results-${{ matrix.platform }}-${{ matrix.java }}-${{ matrix.dist }}
	path: results

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

In the AEAD Cipher implementation, avoid copying input in doFinal when update was not called before. #2926

Workflow file

In the AEAD Cipher implementation, avoid copying input in doFinal when update was not called before. #2926

Jobs

Run details

Workflow file for this run