Skip to content

Commit

Permalink
tools: automate update openssl v16
Browse files Browse the repository at this point in the history
PR-URL: #48377
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
  • Loading branch information
marco-ippolito authored Jun 19, 2023
1 parent 8e710c9 commit 51ca71c
Show file tree
Hide file tree
Showing 2 changed files with 150 additions and 37 deletions.
77 changes: 57 additions & 20 deletions .github/workflows/update-openssl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,35 +10,23 @@ permissions:
contents: read

jobs:
openssl-update:
openssl-v3-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
persist-credentials: false
- name: Check if update branch already exists
run: |
BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)
echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV
- name: Check and download new OpenSSL version
# Only run rest of the workflow if the update branch does not yet exist
if: ${{ env.BRANCH_EXISTS == '' }}
run: |
NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1)
NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac)
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p" | sed 's/+/-/g')
echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1"
if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
echo "HAS_UPDATE=true" >> $GITHUB_ENV
./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"
fi
./tools/dep_updaters/update-openssl.sh download_v3 > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Create PR with first commit
if: env.HAS_UPDATE
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
# Creates a PR with the new OpenSSL source code committed
env:
Expand All @@ -53,15 +41,15 @@ jobs:
path: deps/openssl
update-pull-request-title-and-body: true
- name: Regenerate platform specific files
if: env.HAS_UPDATE
if: env.NEW_VERSION
run: |
sudo apt install -y nasm libtext-template-perl
./tools/dep_updaters/update-openssl.sh regenerate
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Add second commit
# Adds a second commit to the PR with the generated platform-dependent files
if: env.HAS_UPDATE
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
Expand All @@ -70,3 +58,52 @@ jobs:
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
path: deps/openssl
openssl-v1-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
persist-credentials: false
ref: v16.x-staging
- name: Check and download new OpenSSL version
run: |
./tools/dep_updaters/update-openssl.sh download_v1 > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Create PR with first commit
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
# Creates a PR with the new OpenSSL source code committed
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <[email protected]>
body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
labels: dependencies
title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}'
path: deps/openssl
update-pull-request-title-and-body: true
- name: Regenerate platform specific files
if: env.NEW_VERSION
run: |
sudo apt install -y nasm libtext-template-perl
./tools/dep_updaters/update-openssl.sh regenerate
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Add second commit
# Adds a second commit to the PR with the generated platform-dependent files
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <[email protected]>
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
path: deps/openssl
110 changes: 93 additions & 17 deletions tools/dep_updaters/update-openssl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,45 +9,115 @@ cleanup() {
exit $EXIT_CODE
}

download() {
if [ -z "$1" ]; then
echo "Error: please provide an OpenSSL version to update to"
echo " e.g. ./$0 download 3.0.7+quic1"
exit 1
fi
download_v1() {
LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1');
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
const releases = await res.json()
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
if(!latest) throw new Error(`Could not find latest release for v1`);
console.log(latest.ref.replace('refs/tags/',''));
EOF
)"

NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g')

case "$NEW_VERSION_V1" in
*quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;;
*) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;;
esac

OPENSSL_VERSION=$1
echo "Making temporary workspace..."
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h"
CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1)

# shellcheck disable=SC1091
. "$BASE_DIR/tools/dep_updaters/utils.sh"
# This function exit with 0 if new version and current version are the same
compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION"

echo "Making temporary workspace..."
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
cd "$WORKSPACE"

echo "Fetching OpenSSL source archive..."
OPENSSL_TARBALL="openssl-v$OPENSSL_VERSION.tar.gz"
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/openssl-$OPENSSL_VERSION"
OPENSSL_TARBALL="openssl.tar.gz"
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME"
log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
gzip -dc "$OPENSSL_TARBALL" | tar xf -
rm "$OPENSSL_TARBALL"

mv quictls-openssl-* openssl

echo "Replacing existing OpenSSL..."
rm -rf "$DEPS_DIR/openssl/openssl"
mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"

echo "All done!"
echo ""
echo "Please git add openssl, and commit the new version:"
echo ""
echo "$ git add -A deps/openssl/openssl"
echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\""
echo ""
# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION_V1"
}

# Update the version number
update_dependency_version "openssl" "$OPENSSL_VERSION"
download_v3() {
LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0');
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
const releases = await res.json()
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
if(!latest) throw new Error(`Could not find latest release for v3.0`);
console.log(latest.ref.replace('refs/tags/',''));
EOF
)"
NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g')

case "$NEW_VERSION_V3" in
*quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;;
*) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;;
esac
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
# This function exit with 0 if new version and current version are the same
compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION"

echo "Making temporary workspace..."

WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')

cd "$WORKSPACE"
echo "Fetching OpenSSL source archive..."

OPENSSL_TARBALL="openssl.tar.gz"

curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME"

log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"

gzip -dc "$OPENSSL_TARBALL" | tar xf -

rm "$OPENSSL_TARBALL"
mv quictls-openssl-* openssl
echo "Replacing existing OpenSSL..."
rm -rf "$DEPS_DIR/openssl/openssl"
mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"

# Update the version number
update_dependency_version "openssl" "$NEW_VERSION_V3"
echo "All done!"
echo ""
echo "Please git add openssl, and commit the new version:"
echo ""
echo "$ git add -A deps/openssl/openssl"
echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$OPENSSL_VERSION\""
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\""
echo ""
# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION_V3"
}

regenerate() {
Expand Down Expand Up @@ -94,8 +164,14 @@ main() {
BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
DEPS_DIR="$BASE_DIR/deps"

[ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
[ -x "$NODE" ] || NODE=$(command -v node)

# shellcheck disable=SC1091
. "$BASE_DIR/tools/dep_updaters/utils.sh"

case ${1} in
help | download | regenerate )
help | regenerate | download_v1 | download_v3 )
$1 "${2}"
;;
* )
Expand Down

0 comments on commit 51ca71c

Please sign in to comment.