[3.10] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #105246
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
# bpo-40548: "paths-ignore" is not used to skip documentation-only PRs, because | |
# it prevents to mark a job as mandatory. A PR cannot be merged if a job is | |
# mandatory but not scheduled because of "paths-ignore". | |
on: | |
push: | |
branches: | |
- master | |
- 3.10 | |
- 3.9 | |
- 3.8 | |
- 3.7 | |
pull_request: | |
branches: | |
- master | |
- 3.10 | |
- 3.9 | |
- 3.8 | |
- 3.7 | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
check_source: | |
name: 'Check for source changes' | |
runs-on: ubuntu-latest | |
outputs: | |
run_tests: ${{ steps.check.outputs.run_tests }} | |
run_ssl_tests: ${{ steps.check.outputs.run_ssl_tests }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check for source changes | |
id: check | |
run: | | |
if [ -z "$GITHUB_BASE_REF" ]; then | |
echo "run_tests=true" >> $GITHUB_OUTPUT | |
echo "run_ssl_tests=true" >> $GITHUB_OUTPUT | |
else | |
git fetch origin $GITHUB_BASE_REF --depth=1 | |
# git diff "origin/$GITHUB_BASE_REF..." (3 dots) may be more | |
# reliable than git diff "origin/$GITHUB_BASE_REF.." (2 dots), | |
# but it requires to download more commits (this job uses | |
# "git fetch --depth=1"). | |
# | |
# git diff "origin/$GITHUB_BASE_REF..." (3 dots) works with Git | |
# 2.26, but Git 2.28 is stricter and fails with "no merge base". | |
# | |
# git diff "origin/$GITHUB_BASE_REF.." (2 dots) should be enough on | |
# GitHub, since GitHub starts by merging origin/$GITHUB_BASE_REF | |
# into the PR branch anyway. | |
# | |
# https://github.com/python/core-workflow/issues/373 | |
git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE '(\.rst$|^Doc|^Misc)' && echo "run_tests=true" >> $GITHUB_OUTPUT || true | |
git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qE '(ssl|hashlib|hmac|^.github)' && echo "run_ssl_tests=true" >> $GITHUB_OUTPUT || true | |
fi | |
check_abi: | |
name: 'Check if the ABI has changed' | |
runs-on: ubuntu-20.04 | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v4 | |
- name: Install Dependencies | |
run: | | |
sudo ./.github/workflows/posix-deps-apt.sh | |
sudo apt-get install -yq abigail-tools | |
- name: Build CPython | |
env: | |
CFLAGS: -g3 -O0 | |
run: | | |
# Build Python with the libpython dynamic library | |
./configure --enable-shared | |
make -j4 | |
- name: Check for changes in the ABI | |
run: | | |
if ! make check-abidump; then | |
echo "Generated ABI file is not up to date." | |
echo "Please, add the release manager of this branch as a reviewer of this PR." | |
echo "" | |
echo "To learn more about this check, please visit: https://devguide.python.org/setup/?highlight=abi#regenerate-the-abi-dump" | |
echo "" | |
exit 1 | |
fi | |
check_generated_files: | |
name: 'Check if generated files are up to date' | |
runs-on: ubuntu-latest | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v4 | |
- name: Install Dependencies | |
run: sudo ./.github/workflows/posix-deps-apt.sh | |
- name: Add ccache to PATH | |
run: echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV | |
- name: Configure ccache action | |
uses: hendrikmuhs/ccache-action@v1 | |
- name: Check Autoconf version 2.69 and aclocal 1.16.3 | |
run: | | |
grep "Generated by GNU Autoconf 2.69" configure | |
grep "aclocal 1.16.3" aclocal.m4 | |
grep -q "runstatedir" configure | |
grep -q "PKG_PROG_PKG_CONFIG" aclocal.m4 | |
- name: Configure CPython | |
run: | | |
# Build Python with the libpython dynamic library | |
./configure --config-cache --with-pydebug --enable-shared | |
- name: Regenerate autoconf files | |
run: make regen-configure | |
- name: Build CPython | |
run: | | |
# Build Python with the libpython dynamic library | |
./configure --with-pydebug --enable-shared | |
make -j4 regen-all | |
make regen-stdlib-module-names | |
- name: Check for changes | |
run: | | |
changes=$(git status --porcelain) | |
# Check for changes in regenerated files | |
if test -n "$changes"; then | |
echo "Generated files not up to date." | |
echo "Perhaps you forgot to run make regen-all or build.bat --regen. ;)" | |
echo "configure files must be regenerated with a specific, unpatched version of autoconf." | |
echo "$changes" | |
exit 1 | |
fi | |
- name: Check exported libpython symbols | |
run: make smelly | |
- name: Check limited ABI symbols | |
run: make check-limited-abi | |
build_win32: | |
name: 'Windows (x86)' | |
runs-on: windows-latest | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
env: | |
IncludeUwp: 'true' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build CPython | |
run: .\PCbuild\build.bat -e -p Win32 | |
- name: Display build info | |
run: .\python.bat -m test.pythoninfo | |
- name: Tests | |
run: .\PCbuild\rt.bat -p Win32 -q -uall -u-cpu -rwW --slowest --timeout=1200 -j0 | |
build_win_amd64: | |
name: 'Windows (x64)' | |
runs-on: windows-latest | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
env: | |
IncludeUwp: 'true' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Register MSVC problem matcher | |
run: echo "::add-matcher::.github/problem-matchers/msvc.json" | |
- name: Build CPython | |
run: .\PCbuild\build.bat -e -p x64 | |
- name: Display build info | |
run: .\python.bat -m test.pythoninfo | |
- name: Tests | |
run: .\PCbuild\rt.bat -p x64 -q -uall -u-cpu -rwW --slowest --timeout=1200 -j0 | |
build_macos: | |
name: 'macOS' | |
runs-on: macos-latest | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
env: | |
HOMEBREW_NO_ANALYTICS: 1 | |
HOMEBREW_NO_AUTO_UPDATE: 1 | |
HOMEBREW_NO_INSTALL_CLEANUP: 1 | |
PYTHONSTRICTEXTENSIONBUILD: 1 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install Homebrew dependencies | |
run: brew install pkg-config [email protected] xz gdbm tcl-tk | |
- name: Configure CPython | |
run: | | |
CPPFLAGS="-I$(brew --prefix gdbm)/include -I$(brew --prefix xz)/include" \ | |
LDFLAGS="-L$(brew --prefix gdbm)/lib -L$(brew --prefix xz)/lib" \ | |
./configure \ | |
--with-pydebug \ | |
--prefix=/opt/python-dev \ | |
--with-openssl="$(brew --prefix [email protected])" | |
- name: Build CPython | |
run: make -j4 | |
- name: Display build info | |
run: make pythoninfo | |
- name: Tests | |
run: make buildbottest TESTOPTS="-j4 -uall,-cpu" | |
build_ubuntu: | |
name: 'Ubuntu' | |
runs-on: ubuntu-20.04 | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' | |
env: | |
OPENSSL_VER: 3.0.11 | |
PYTHONSTRICTEXTENSIONBUILD: 1 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Register gcc problem matcher | |
run: echo "::add-matcher::.github/problem-matchers/gcc.json" | |
- name: Install Dependencies | |
run: sudo ./.github/workflows/posix-deps-apt.sh | |
- name: Configure OpenSSL env vars | |
run: | | |
echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> $GITHUB_ENV | |
echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}" >> $GITHUB_ENV | |
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV | |
- name: 'Restore OpenSSL build' | |
id: cache-openssl | |
uses: actions/[email protected] | |
with: | |
path: ./multissl/openssl/${{ env.OPENSSL_VER }} | |
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }} | |
- name: Install OpenSSL | |
if: steps.cache-openssl.outputs.cache-hit != 'true' | |
run: python3 Tools/ssl/multissltests.py --steps=library --base-directory $MULTISSL_DIR --openssl $OPENSSL_VER --system Linux | |
- name: Add ccache to PATH | |
run: | | |
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV | |
- name: Configure ccache action | |
uses: hendrikmuhs/ccache-action@v1 | |
- name: Configure CPython | |
run: ./configure --with-pydebug --with-openssl=$OPENSSL_DIR | |
- name: Build CPython | |
run: make -j4 | |
- name: Display build info | |
run: make pythoninfo | |
- name: Tests | |
run: xvfb-run make buildbottest TESTOPTS="-j4 -uall,-cpu" | |
build_ubuntu_ssltests: | |
name: 'Ubuntu SSL tests with OpenSSL' | |
runs-on: ubuntu-20.04 | |
needs: check_source | |
if: needs.check_source.outputs.run_tests == 'true' && needs.check_source.outputs.run_ssl_tests == 'true' | |
strategy: | |
fail-fast: false | |
matrix: | |
openssl_ver: [1.1.1w, 3.0.11, 3.1.3] | |
env: | |
OPENSSL_VER: ${{ matrix.openssl_ver }} | |
MULTISSL_DIR: ${{ github.workspace }}/multissl | |
OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }} | |
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Register gcc problem matcher | |
run: echo "::add-matcher::.github/problem-matchers/gcc.json" | |
- name: Install Dependencies | |
run: sudo ./.github/workflows/posix-deps-apt.sh | |
- name: Configure OpenSSL env vars | |
run: | | |
echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> $GITHUB_ENV | |
echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}" >> $GITHUB_ENV | |
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV | |
- name: 'Restore OpenSSL build' | |
id: cache-openssl | |
uses: actions/cache@v3 | |
with: | |
path: ./multissl/openssl/${{ env.OPENSSL_VER }} | |
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }} | |
- name: Install OpenSSL | |
if: steps.cache-openssl.outputs.cache-hit != 'true' | |
run: python3 Tools/ssl/multissltests.py --steps=library --base-directory $MULTISSL_DIR --openssl $OPENSSL_VER --system Linux | |
- name: Add ccache to PATH | |
run: | | |
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV | |
- name: Configure ccache action | |
uses: hendrikmuhs/[email protected] | |
- name: Configure CPython | |
run: ./configure --with-pydebug --with-openssl=$OPENSSL_DIR | |
- name: Build CPython | |
run: make -j4 | |
- name: Display build info | |
run: make pythoninfo | |
- name: SSL tests | |
run: ./python Lib/test/ssltests.py |