CI: trim macOS jobs in os-check.yml to a curated subset#11
Open
CI: trim macOS jobs in os-check.yml to a curated subset#11
Conversation
The make_check job ran 51 configs on both ubuntu-24.04 and macos-latest,
and make_user_settings / make_user_all also fanned out onto macOS. Most
of those macOS runs exercised no Darwin-specific code (DTLS permutations,
SHE, cryptocb permutations, OCSP, sniffer, harden-tls, client/server-
disable variants, ...) and only duplicated Ubuntu signal on a slow
runner.
Restructure the workflow into a symmetric pair, each with its own plain
matrix:
- make_check_linux (69 configs on ubuntu-24.04): the previous 51
make_check configs merged with the 18 platform-agnostic configs that
were in the old make_check_linux job. One job now owns all
Linux-only coverage.
- make_check_macos (5 configs on macos-latest): each chosen for a
Darwin-specific reason or for broad key-crypto coverage:
* '' -- default; --enable-sys-ca-certs is auto-on on macOS, so
this exercises Apple keychain / system trust loading in
src/ssl_load.c that has no Linux equivalent.
* --enable-all --enable-asn=template -- broad key crypto (RSA,
ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC,
sniffer, DTLS, OCSP, ...) plus Security.framework and
opensslextra in a single run. --enable-all does NOT enable
cryptocb or SHE, so the cryptocb path has its own entry below.
* --disable-sys-ca-certs -- validates the configure-time
auto-enable override and that Security.framework code paths
compile out cleanly. macOS is the only OS where sys-ca-certs is
auto-on by default.
* --enable-dtls --enable-dtlscid --enable-dtls13
--enable-secure-renegotiation --enable-psk --enable-aesccm
--enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA -- DTLS over
BSD sockets on Darwin: connection-ID, fragmented ClientHello,
secure renegotiation, PSK, AES-CCM, null cipher; exercises
recvmsg / MTU / datagram handling that genuinely differs from
Linux.
* --enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey
-- crypto-callback dispatcher under Apple clang; verifies the
cryptocb find / setkey / keygen path compiles and runs on the
macOS toolchain.
Other jobs in the file:
- make_user_settings: kept on both ubuntu-24.04 and macos-latest. The
user_settings.h header-driven build path is genuinely distinct from
the autotools --enable-all path in make_check_*; macOS-specific
guard ordering (e.g. WOLFSSL_SYS_CA_CERTS pulling in
Security.framework) needs to be exercised under Apple clang here.
- make_user_all, make_user_settings_testwolfcrypt: dropped the
dead-weight single-element os: [ ubuntu-24.04 ] matrix axes; use
plain runs-on: ubuntu-24.04.
Net effect: macOS runner slots in os-check.yml drop from ~53 per
push/PR to 6 (5 in make_check_macos + 1 in make_user_settings).
xcode.yml (Xcode IDE / Apple Silicon arm64 / Universal binary builds)
and macos-apple-native-cert-validation.yml (Apple Security.framework
SecTrustEvaluateWithError chain validation, complementary to and
non-overlapping with sys-ca-certs above) are unchanged and continue to
provide their dedicated, distinct macOS coverage.
Note for upstream: branch protection rules that reference the old job
names ("make check", "make check (Linux only)", or any
"(macos-latest, <config>)" matrix combination) will need updating --
those names no longer exist.
Frauschi
force-pushed
the
claude/optimize-macos-ci-jobs-i1rMO
branch
from
8e4dcb1 to
c10ed58
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
os-check.ymlwas the largest macOS CI consumer:make_checkran 51 configs onboth
ubuntu-24.04andmacos-latest, andmake_user_settings/make_user_allalso fanned out to macOS. Most of those macOS runs exercise noDarwin-specific code (DTLS-feature permutations, SHE, OCSP, sniffer, harden-tls,
client/server-disable variants, cryptocb permutations, ...) and only duplicated
Ubuntu signal on a slow runner.
This PR keeps the full 51-config matrix on Ubuntu and reduces macOS to a curated
set chosen for Darwin-specific signal plus broad key-crypto coverage:
''— default build;--enable-sys-ca-certsis auto-on on macOS, sothis exercises Apple keychain / system trust loading in
src/ssl_load.cwithno Linux equivalent.
--enable-all --enable-asn=template— broad key crypto (RSA, ECC, AES,SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC, ...) plus
Security.framework + opensslextra in a single run.
--disable-sys-ca-certs— negative test for the only OS that auto-enablesthe flag.
Darwin BSD-socket /
recvmsg/ MTU handling that genuinely differs from Linux.--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey—exercises the crypto-callback dispatcher under Apple clang. Not covered by
--enable-all.make_user_settingskeeps macOS coverage (the user_settings.h header-drivenbuild path is genuinely distinct from the autotools
--enable-allpath).make_user_allis now plain Linux-only without a redundant single-elementmatrix.
xcode.yml(Xcode IDE / Apple Silicon arm64 / Universal binaries) andmacos-apple-native-cert-validation.yml(Apple Security.framework cert-chainvalidation) are unchanged.
Net effect: macOS runner slots in
os-check.ymldrop from ~53 per push/PR to 6(5 in
make_check::include+ 1 inmake_user_settings).Test plan
make check.make_user_settingsruns on bothubuntu-24.04andmacos-latestforuser_settings_all.h.make_user_allruns onubuntu-24.04only.make checkconfigs pass:'',--enable-all --enable-asn=template,--disable-sys-ca-certs, the DTLS-CID config, and the cryptocb config.xcode.ymlandmacos-apple-native-cert-validation.ymlworkflows unaffected.master.Caller note
If branch protection on the upstream wolfSSL repo references specific job names
like
make check (macos-latest, --enable-she=...), those required status checkswill need to be updated — they will never report again under the new
matrix.
https://claude.ai/code/session_01HUWvib2kMeHpFFMY5NiiNd
Generated by Claude Code