From 492b94a36379171fdfeff2dd287a080d2a97a56e Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Mon, 19 Jun 2023 14:53:09 +0200 Subject: [PATCH] tools: automate update openssl v16 PR-URL: https://github.com/nodejs/node/pull/48377 Reviewed-By: Rafael Gonzaga Reviewed-By: Antoine du Hamel Reviewed-By: Paolo Insogna --- .github/workflows/update-openssl.yml | 77 ++++++++++++++----- tools/dep_updaters/update-openssl.sh | 110 ++++++++++++++++++++++----- 2 files changed, 150 insertions(+), 37 deletions(-) diff --git a/.github/workflows/update-openssl.yml b/.github/workflows/update-openssl.yml index ee42ebdb778c7f..70b5ae7b616518 100644 --- a/.github/workflows/update-openssl.yml +++ b/.github/workflows/update-openssl.yml @@ -10,35 +10,23 @@ permissions: contents: read jobs: - openssl-update: + openssl-v3-update: if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: persist-credentials: false - - name: Check if update branch already exists - run: | - BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl) - echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV - name: Check and download new OpenSSL version - # Only run rest of the workflow if the update branch does not yet exist - if: ${{ env.BRANCH_EXISTS == '' }} run: | - NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1) - NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac) - VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h" - CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p" | sed 's/+/-/g') - echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1" - if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then - echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV - echo "HAS_UPDATE=true" >> $GITHUB_ENV - ./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION" - fi + ./tools/dep_updaters/update-openssl.sh download_v3 > temp-output + cat temp-output + tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true + rm temp-output env: GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - name: Create PR with first commit - if: env.HAS_UPDATE + if: env.NEW_VERSION uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5 # Creates a PR with the new OpenSSL source code committed env: @@ -53,7 +41,7 @@ jobs: path: deps/openssl update-pull-request-title-and-body: true - name: Regenerate platform specific files - if: env.HAS_UPDATE + if: env.NEW_VERSION run: | sudo apt install -y nasm libtext-template-perl ./tools/dep_updaters/update-openssl.sh regenerate @@ -61,7 +49,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - name: Add second commit # Adds a second commit to the PR with the generated platform-dependent files - if: env.HAS_UPDATE + if: env.NEW_VERSION uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5 env: GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} @@ -70,3 +58,52 @@ jobs: branch: actions/tools-update-openssl # Custom branch *just* for this Action. commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}' path: deps/openssl + openssl-v1-update: + if: github.repository == 'nodejs/node' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + persist-credentials: false + ref: v16.x-staging + - name: Check and download new OpenSSL version + run: | + ./tools/dep_updaters/update-openssl.sh download_v1 > temp-output + cat temp-output + tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true + rm temp-output + env: + GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} + - name: Create PR with first commit + if: env.NEW_VERSION + uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2 + # Creates a PR with the new OpenSSL source code committed + env: + GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} + with: + author: Node.js GitHub Bot + body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}. + branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action. + commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}' + labels: dependencies + title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}' + path: deps/openssl + update-pull-request-title-and-body: true + - name: Regenerate platform specific files + if: env.NEW_VERSION + run: | + sudo apt install -y nasm libtext-template-perl + ./tools/dep_updaters/update-openssl.sh regenerate + env: + GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} + - name: Add second commit + # Adds a second commit to the PR with the generated platform-dependent files + if: env.NEW_VERSION + uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2 + env: + GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} + with: + author: Node.js GitHub Bot + branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action. + commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}' + path: deps/openssl diff --git a/tools/dep_updaters/update-openssl.sh b/tools/dep_updaters/update-openssl.sh index ff320da03de089..850c7c6f7c5d96 100755 --- a/tools/dep_updaters/update-openssl.sh +++ b/tools/dep_updaters/update-openssl.sh @@ -9,45 +9,115 @@ cleanup() { exit $EXIT_CODE } -download() { - if [ -z "$1" ]; then - echo "Error: please provide an OpenSSL version to update to" - echo " e.g. ./$0 download 3.0.7+quic1" - exit 1 - fi +download_v1() { + LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF' +const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1'); +if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res }); +const releases = await res.json() +const latest = releases.findLast(({ ref }) => ref.includes('quic')); +if(!latest) throw new Error(`Could not find latest release for v1`); +console.log(latest.ref.replace('refs/tags/','')); +EOF +)" + + NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g') + + case "$NEW_VERSION_V1" in + *quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;; + *) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;; + esac - OPENSSL_VERSION=$1 - echo "Making temporary workspace..." - WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp') + VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h" + CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1) - # shellcheck disable=SC1091 - . "$BASE_DIR/tools/dep_updaters/utils.sh" + # This function exit with 0 if new version and current version are the same + compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION" + echo "Making temporary workspace..." + WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp') cd "$WORKSPACE" echo "Fetching OpenSSL source archive..." - OPENSSL_TARBALL="openssl-v$OPENSSL_VERSION.tar.gz" - curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/openssl-$OPENSSL_VERSION" + OPENSSL_TARBALL="openssl.tar.gz" + curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME" log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL" gzip -dc "$OPENSSL_TARBALL" | tar xf - rm "$OPENSSL_TARBALL" + mv quictls-openssl-* openssl echo "Replacing existing OpenSSL..." rm -rf "$DEPS_DIR/openssl/openssl" mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/" + + echo "All done!" + echo "" + echo "Please git add openssl, and commit the new version:" + echo "" + echo "$ git add -A deps/openssl/openssl" + echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md" + echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\"" + echo "" + # The last line of the script should always print the new version, + # as we need to add it to $GITHUB_ENV variable. + echo "NEW_VERSION=$NEW_VERSION_V1" +} - # Update the version number - update_dependency_version "openssl" "$OPENSSL_VERSION" +download_v3() { + LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF' +const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0'); +if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res }); +const releases = await res.json() +const latest = releases.findLast(({ ref }) => ref.includes('quic')); +if(!latest) throw new Error(`Could not find latest release for v3.0`); +console.log(latest.ref.replace('refs/tags/','')); +EOF +)" + NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g') + + case "$NEW_VERSION_V3" in + *quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;; + *) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;; + esac + VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h" + CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p") + # This function exit with 0 if new version and current version are the same + compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION" + echo "Making temporary workspace..." + + WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp') + + cd "$WORKSPACE" + echo "Fetching OpenSSL source archive..." + + OPENSSL_TARBALL="openssl.tar.gz" + + curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME" + + log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL" + + gzip -dc "$OPENSSL_TARBALL" | tar xf - + + rm "$OPENSSL_TARBALL" + mv quictls-openssl-* openssl + echo "Replacing existing OpenSSL..." + rm -rf "$DEPS_DIR/openssl/openssl" + mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/" + + # Update the version number + update_dependency_version "openssl" "$NEW_VERSION_V3" echo "All done!" echo "" echo "Please git add openssl, and commit the new version:" echo "" echo "$ git add -A deps/openssl/openssl" echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md" - echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$OPENSSL_VERSION\"" + echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\"" echo "" + # The last line of the script should always print the new version, + # as we need to add it to $GITHUB_ENV variable. + echo "NEW_VERSION=$NEW_VERSION_V3" } regenerate() { @@ -94,8 +164,14 @@ main() { BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd) DEPS_DIR="$BASE_DIR/deps" + [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node" + [ -x "$NODE" ] || NODE=$(command -v node) + + # shellcheck disable=SC1091 + . "$BASE_DIR/tools/dep_updaters/utils.sh" + case ${1} in - help | download | regenerate ) + help | regenerate | download_v1 | download_v3 ) $1 "${2}" ;; * )