You can remove the os from the include and have:

matrix:
  os: [ubuntu-24.04]
  include:
    - { ssl: openssl, ssl_ver: 3.0.16 }
    - ...

It would be possible to merge two matrices but we'll need a pre-step and I don't think it's more maintainable.

Could we do ssl_lib: openssl | awslc? It would be easier to follow later on than just matrix.ssl everywhere.

I'm sorry but what would ssl_lib: openssl | awslc in this case? does it run on both and if it doesn't work for one, it picks the other? (also, how would we use it below?)

@picnixz I'm not sure I follow, the suggestion is just to rename matrix.ssl to matrix.ssl_lib. openssl | awslc are the valid values for either name.

Oh! I thought you suggested something like this:

matrix:
  os: [ubuntu-24.04]
  include:
    - { ssl_lib: openssl | awslc, ssl_ver: 3.0.16 }

and I didn't know what it would means. Yes, we can have matrix.ssl_lib

Can't we just use ${{ env.ssldir }}? I don't understand why we're defining it here and in the env section

zizmor says using ${{ env.ssldir }} can result in template injection:

help[template-injection]: code injection via template expansion
   --> ./.github/workflows/build.yml:324:134
    |
323 |       run: |
    |       --- help: this run block
324 |         CMD=(./configure CFLAGS="-fdiagnostics-format=json" --config-cache --enable-slower-safety --with-pydebug --with-openssl="${{ env.ssldir }...
    |                                                                                                                                      ---------- help: may expand into attacker-controllable code

Isn't env a procteced namespace that cannot be accessed from outside? but if zizmor flags it as possibly vulnerable, let's be verbose.

Let's ask zizmor author @woodruffw.

Ok, so zizmor kwnows that it's not attackable but recommends against it for shell expansion purposes: https://github.com/woodruffw/gha-hazmat/blob/e4094ceabb0068a2a5b81ecc8e1ee919ba52a050/.github/workflows/template-injection.yml#L77.

However! we can do another trick https://github.com/woodruffw/gha-hazmat/blob/e4094ceabb0068a2a5b81ecc8e1ee919ba52a050/.github/workflows/template-injection.yml#L67-L72. I guess we could directly use the environment variable name then without needing to make GH variable expansion.

Yeah, I'd recommend using the environment variable directly instead of intermediating it through a template (e.g. $FOO instead of ${{ env.FOO }}). That should be equivalent in terms of intended behavior without the injection risk 🙂

The reason zizmor flags these is because they can be exploitable in some subtle situations: most of the time env.* is static and not attacker-controllable, but sometimes it comes from GITHUB_ENV or another dynamic source that zizmor can't follow.

Some more docs here too (the first tip in that section mentions why env.* is not preferred versus direct expansion): https://docs.zizmor.sh/audits/#template-injection

Can you make it multiline as before? please

Note we can use run: > syntax to avoid the trailing backslashes

Yes, it would be better. We don't care about literal new lines here.

Can we populate a variable called "CONFIGURE_FLAGS" instead and use a switch/case so that we exactly match the SSL libname. It will become easier in the future if we add BoringSSL or LibreSSL tests.

At this point I'd almost suggest using a small Python script to calculate flags. We should avoid complex shell logic in workflow files as much as possible, I don't want to read a bash switch-case in YAML! An if-statement is simpler to understand here for me, though the ${CMD[@]} syntax is arcane.

Oh yeah, a small Python script is also fine; here what matters to me is to be able to easily add a new library without having 3km long of options. As for ${CMD[@]}, it expands the array's content, so you end up with ./configure [...]. Usually, it's more common to expand the options and hardcode the command rather than expand the entire array containing the command as well.

With steps.cache-openssl here, we won't be hitting the cache-ssl entry right? maybe it's better to store a cache hit with steps.cache-${{ matrix.ssl }} if it's possible?

Please revert this. As we can't have abstract class methods, I prefer having real class variables where we would raise if they are not set.

Yep, better to raise NotImplementedError. That's treated equivalently to an abstract method.

I think it's just better to have abstract class variables here. The reason is that I don't think we would ever need a non-static computation for most of those abstract properties. If they must be abstract class properties that are represented by dynamic values that need a bit more work to compute (but only needed to be computed once), just a @classmethod together with NotImplementedError.

Please, don't use this. It's harder to maintain if we do it like this. Just hardcode the classes.

Use extend instead of += [...]

You could have a dict of classes to a list of versions instead of storing a tuple of (class, version)

This is now the default, so we can skip this:

(Also, it wouldn't be effective if we were to use an older Python version)

zizmor says using ${{ env.ssldir }} can result in template injection:

help[template-injection]: code injection via template expansion
   --> ./.github/workflows/build.yml:324:134
    |
323 |       run: |
    |       --- help: this run block
324 |         CMD=(./configure CFLAGS="-fdiagnostics-format=json" --config-cache --enable-slower-safety --with-pydebug --with-openssl="${{ env.ssldir }...
    |                                                                                                                                      ---------- help: may expand into attacker-controllable code

All jobs run on the same OS, this is simpler:

We use matrix.os in the cache key so better not hardcode it here?

Do we care about Python 3.9 at this point? Frequently for in-tree tools we use python_for_regen as the base version, or the previous stable release (e.g. 3.12 at present).

Yes, we care because of security branches I'd say. Also, there are still distros with Pyhton 3.9 as its default I think (I mean, my default Python in OpenSUSE was Python 3.6!). But generally, it's to limit to "simple" Python when possible.

True, but e.g. for backports to 3.9 we would run against the version of Tools/ssl/multissltests.py in the 3.9 branch? We should add a comment explaining why we care about all non EOL versions, though.

True, but e.g. for backports to 3.9 we would run against the version of Tools/ssl/multissltests.py in the 3.9 branch?

That's... a good question. I would have said "yes", but now I'm not entirely sure. Maybe not?

Ah actually, we do:

    def run_python_tests(self, tests, network=True):
        if not tests:
            cmd = [
                sys.executable,
                os.path.join(PYTHONROOT, 'Lib/test/ssltests.py'),
                '-j0'
            ]
        elif sys.version_info < (3, 3):
            cmd = [sys.executable, '-m', 'test.regrtest']
        else:
            cmd = [sys.executable, '-m', 'test', '-j0']
        if network:
            cmd.extend(['-u', 'network', '-u', 'urlfetch'])
        cmd.extend(['-w', '-r'])
        cmd.extend(tests)
self._subprocess_call(cmd, stdout=None)

So for executing the tests, we're really re-using the python interpreter that was used to generate the scripts, so we need to run the tests against the correct interpreter version.

@WillChilds-Klein could you update run_python_tests() in this PR to remove the 3.3 block & use long options to regrtest? -w -> --rerun & -r -> --randomize

Again I'd suggest --ssl-library or etc