Skip to content

Add cache built OpenSSL/wolfSSL deps in PR builders to speedup builds in CI#412

Open
aidangarske wants to merge 1 commit into
wolfSSL:masterfrom
aidangarske:ci-cache-build-deps
Open

Add cache built OpenSSL/wolfSSL deps in PR builders to speedup builds in CI#412
aidangarske wants to merge 1 commit into
wolfSSL:masterfrom
aidangarske:ci-cache-build-deps

Conversation

@aidangarske

@aidangarske aidangarske commented Jun 24, 2026

Copy link
Copy Markdown
Member

Description

Adds a reusable composite action .github/actions/cache-build-deps that caches
the built openssl-install / wolfssl-install (and openssl-source for
patched builds) keyed by resolved commit SHA, so build-wolfprovider.sh skips
the OpenSSL/wolfSSL configure+make on a cache hit. Wired into the normal-PR
from-source builders: cmdline, simple, smoke-test, seed-src,
fips-ready.

Pattern mirrors the existing multi-compiler.yml cache (resolve-ref -> SHA ->
actions/cache): a stable tag resolves to a fixed SHA (cached across runs);
master resolves to current HEAD (rebuilt only when upstream moves). The unit
under test (wolfprov-install) is never cached.

Measured effect (verified on this PR: cold run 1 -> warm run 2)

Workflow cold avg (from scratch) warm avg (cache hit) speedup
cmdline 283 s 52 s 5.4x
simple (incl. replace-default rows) ~262 s 41 s 6.4x
smoke-test 308 s 49 s 6.3x
seed-src 298 s 38 s 7.8x
fips-ready ~300 s 44 s ~7x

Per heavy config the from-scratch dep build is ~5:30-5:50; on a warm cache the
build step drops to ~30-50 s (about 5 min saved per cached job). All builders
passed on both the cold and warm runs.

Validation

  • Warm-run log confirms master rows hit on the resolved HEAD SHA
    ("Cache hit ... Cache restored successfully"): master is reused when the commit
    is unchanged and rebuilds when it moves; stable tags hit unconditionally.
  • Replace-default / FIPS-baseline rows (simple.yml) also cache openssl-source
    so the source-reading mismatch checks pass on a hit.
  • Variant token encodes every build-config dimension (compiler/debug/
    replace-default/seed-src/fips) so no wrong-config cache hit.
  • FIPS bundle cached by stable version; wget only runs on a cache miss.

@aidangarske aidangarske marked this pull request as ready for review June 24, 2026 16:43
@aidangarske aidangarske changed the title ci: cache built OpenSSL/wolfSSL deps in PR builders Add cache built OpenSSL/wolfSSL deps in PR builders to speedup builds in CI Jun 24, 2026
@aidangarske aidangarske requested a review from ColtonWilley June 24, 2026 17:12
@aidangarske aidangarske requested a review from padelsbach June 29, 2026 23:18

@padelsbach padelsbach left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very challenging nut to crack (I've tried). Lots of landmines lurking, even assuming GH cache behavior is stable.

Zooming out, we really only need to build openssl and wolfssl once per tag/commit. Could we have a job that builds and pushes to oras? Or maybe even bakes it into different docker containers?

uses: actions/cache@v4
with:
path: openssl-install
key: openssl-install-${{ inputs.variant }}-${{ steps.openssl-ref.outputs.sha }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh') }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI tells me we may want to include the patch files and patching scripts in the hashFiles

GITHUB_TOKEN: ${{ inputs.github_token }}
run: echo "sha=$("${GITHUB_WORKSPACE}/scripts/resolve-ref.sh" "${{ inputs.wolfssl_ref }}" wolfssl/wolfssl)" >> "$GITHUB_OUTPUT"

- name: Cache OpenSSL install

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend redoing the openssl install if the openssl source is a cache miss, otherwise we might see unexpected stuff. Could happen with various cache eviction by Github.

Same with wolfssl source+install.

path: openssl-source
key: openssl-source-${{ inputs.variant }}-${{ steps.openssl-ref.outputs.sha }}-${{ hashFiles('scripts/utils-openssl.sh', 'scripts/utils-wolfssl.sh', 'scripts/build-wolfprovider.sh') }}

- name: Cache wolfSSL install

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI pointed out that even wolfSSL depends on the openssl source (since we use --enable-opensslcoexist in utils-wolfssl.sh. So this step needs everything from the previous steps.

variant: simple${{ matrix.replace_default != '' && '-rd' || '' }}
openssl_ref: ${{ matrix.openssl_ref }}
wolfssl_ref: ${{ matrix.wolfssl_ref }}
cache_openssl_source: ${{ matrix.replace_default != '' }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, the WP build scripts will pull/download missing deps (eg openssl source) if not present, potentially bypassing the cache or causing a header-vs-binary mismatch. We really the workflow to fail if the cache step didn't work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants