From 111deefb659b8d73c56d3ce89458f2df973d60e4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 28 Jan 2023 22:53:47 -0600 Subject: [PATCH] backport main branch CI to 39.0.x (#8153) * backport main branch CI to 39.0.x * missed this one * fix boring binding (backport of #8091) * more ports * re-add 2_24 * aarch64 too * Update .github/workflows/wheel-builder.yml Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- .circleci/build-wheel.sh | 35 ----- .circleci/config.yml | 112 -------------- .github/workflows/build_openssl.sh | 13 +- .github/workflows/ci.yml | 167 +++++++++++--------- .github/workflows/macarm64.yml | 65 -------- .github/workflows/wheel-builder.yml | 76 ++++++--- MANIFEST.in | 4 +- ci-constraints-requirements.txt | 230 ++++++++++++++++++++++++++++ dev-requirements.txt | 5 - setup.cfg | 13 +- src/_cffi_src/openssl/x509v3.py | 2 +- tox.ini | 10 +- 12 files changed, 398 insertions(+), 334 deletions(-) delete mode 100755 .circleci/build-wheel.sh delete mode 100644 .circleci/config.yml delete mode 100644 .github/workflows/macarm64.yml create mode 100644 ci-constraints-requirements.txt delete mode 100644 dev-requirements.txt diff --git a/.circleci/build-wheel.sh b/.circleci/build-wheel.sh deleted file mode 100755 index d69e8c9213fe..000000000000 --- a/.circleci/build-wheel.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -ex - -cd /test - -echo "Building for ${PLATFORM}" - -PYBIN="/opt/python/${PYTHON}/bin" - -mkdir -p /test/wheelhouse.final - -"${PYBIN}"/python -m venv .venv - -.venv/bin/pip install -U pip wheel cffi setuptools-rust - -.venv/bin/python setup.py sdist -cd dist -tar zxf cryptography*.tar.gz -rm -rf cryptograph*.tar.gz -cd cryptography* - -REGEX="cp3([0-9])*" -if [[ "${PYBIN}" =~ $REGEX ]]; then - PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}" -fi - -LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \ - CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \ - ../../.venv/bin/python setup.py bdist_wheel "$PY_LIMITED_API" - -auditwheel repair --plat "${PLATFORM}" -w wheelhouse/ dist/cryptography*.whl - -../../.venv/bin/pip install cryptography --no-index -f wheelhouse/ -../../.venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - -mv wheelhouse/* /test/wheelhouse.final diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index ceb2a7ee28e5..000000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,112 +0,0 @@ -version: 2.1 - -commands: - docker-pull: - parameters: - image: - type: string - steps: - - run: docker pull <> || docker pull <> - docker-run: - parameters: - image: - type: string - command: - type: string - steps: - - run: docker run -e PLATFORM -e PYTHON -v $(pwd):/test <> /bin/bash -c 'cd /test;<>' - -jobs: - linux-arm64: - machine: - image: ubuntu-2004:current - resource_class: arm.medium - parameters: - image: - type: string - toxenv: - type: string - steps: - - checkout - - docker-pull: - image: <> - - docker-run: - image: <> - command: /venv/bin/tox -e <> - linux-arm64-wheel: - machine: - image: ubuntu-2004:current - resource_class: arm.medium - parameters: - image: - type: string - platform: - type: string - python: - type: string - environment: - PLATFORM: <> - PYTHON: <> - steps: - - checkout - - docker-pull: - image: <> - - docker-run: - image: <> - command: /test/.circleci/build-wheel.sh - - store_artifacts: - path: wheelhouse.final - -workflows: - ci: - jobs: - - linux-arm64: - # Changing this name should only be done in conjunction with updating - # the required checks on GH - name: linux-arm64-ci - image: ghcr.io/pyca/cryptography-runner-ubuntu-focal:aarch64 - toxenv: py38 - # This makes sure it runs on all tags in addition to PRs/branches. - # By default CircleCI ignores tags. - filters: - tags: - only: /.*/ - - linux-arm64: - name: linux-arm64-alpine-ci - image: ghcr.io/pyca/cryptography-runner-alpine:aarch64 - toxenv: py310 - filters: - tags: - only: /.*/ - - linux-arm64-wheel: - name: manylinux2014_aarch64-wheel - image: ghcr.io/pyca/cryptography-manylinux2014_aarch64:latest - python: cp36-cp36m - platform: manylinux2014_aarch64 - filters: - tags: - only: /.*/ - - linux-arm64-wheel: - name: manylinux_2_24_aarch64-wheel - image: ghcr.io/pyca/cryptography-manylinux_2_24:aarch64 - python: cp36-cp36m - platform: manylinux_2_24_aarch64 - filters: - tags: - only: /.*/ - - linux-arm64-wheel: - name: manylinux_2_28_aarch64-wheel - image: ghcr.io/pyca/cryptography-manylinux_2_28:aarch64 - python: cp36-cp36m - platform: manylinux_2_28_aarch64 - filters: - tags: - only: /.*/ - - linux-arm64-wheel: - name: musllinux_1_1_aarch64-wheel - image: ghcr.io/pyca/cryptography-musllinux_1_1:aarch64 - python: cp36-cp36m - platform: musllinux_1_1_aarch64 - filters: - tags: - only: /.*/ diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 947b828222b2..6dd6e04fc331 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -68,15 +68,12 @@ elif [[ "${TYPE}" == "boringssl" ]]; then git checkout "${VERSION}" mkdir build pushd build - cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON + # Find the default rust target based on what rustc is built for + cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DRUST_BINDINGS="$(rustc -V --verbose | grep 'host: ' | sed 's/host: //')" -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" make -j"$(nproc)" - mkdir -p "${OSSL_PATH}/lib/" - mkdir -p "${OSSL_PATH}/include/" - mkdir -p "${OSSL_PATH}/bin/" - cp -r ../include/openssl "${OSSL_PATH}/include/" - cp ssl/libssl.a "${OSSL_PATH}/lib/" - cp crypto/libcrypto.a "${OSSL_PATH}/lib/" - cp tool/bssl "${OSSL_PATH}/bin/openssl" + make install + # BoringSSL doesn't have a bin/openssl and we use that to detect success + touch "${OSSL_PATH}/bin/openssl" popd popd fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0dcce6503b7f..8b55ddf0e5a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,23 +40,23 @@ jobs: - {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "libressl", VERSION: "3.7.0"}} - {VERSION: "3.11", TOXENV: "py311-randomorder"} - {VERSION: "3.12-dev", TOXENV: "py312"} - # Latest commit on the BoringSSL master branch, as of Dec 23, 2022. - - {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "boringssl", VERSION: "31bad2514d21f6207f3925ba56754611c462a873"}} - # Latest commit on the OpenSSL master branch, as of Dec 29, 2022. - - {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "43a9e682d80d0abe4ffd0c76d18c43cf059a2bcc"}} + # Latest commit on the BoringSSL master branch, as of Jan 28, 2023. + - {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "boringssl", VERSION: "80a243e07ef77156af66efa7d22ac35aba44c1b3"}} + # Latest commit on the OpenSSL master branch, as of Jan 28, 2023. + - {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "6a9453572533e4a22e6f60fe8f6b7ef0823d9c1f"}} name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -69,13 +69,13 @@ jobs: src/rust/target/ key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-5-${{ hashFiles('**/Cargo.lock') }} - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" path: "wycheproof" ref: "master" - - run: python -m pip install tox requests coverage[toml] + - run: python -m pip install -c ci-constraints-requirements.txt tox requests coverage[toml] - name: Compute config hash and set config vars run: | DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" @@ -89,14 +89,14 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load cache - uses: actions/cache@v3.2.2 + uses: actions/cache@v3.2.3 id: ossl-cache timeout-minutes: 5 with: path: ${{ github.workspace }}/osslcache # When altering the openssl build process you may need to increment the value on the end of this cache key # so that you can prevent it from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-4 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-6 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh @@ -120,35 +120,46 @@ jobs: - uses: ./.github/actions/upload-coverage linux-distros: - runs-on: ubuntu-latest + runs-on: ${{ matrix.IMAGE.RUNNER }} container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }} strategy: fail-fast: false matrix: IMAGE: - - {IMAGE: "rhel8", TOXENV: "py36"} - - {IMAGE: "rhel8-fips", TOXENV: "py36", FIPS: true} - - {IMAGE: "rhel8", TOXENV: "py38"} - - {IMAGE: "rhel8-fips", TOXENV: "py38", FIPS: true} - - {IMAGE: "buster", TOXENV: "py37"} - - {IMAGE: "bullseye", TOXENV: "py39"} - - {IMAGE: "bookworm", TOXENV: "py310"} - - {IMAGE: "sid", TOXENV: "py310"} - - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} - - {IMAGE: "ubuntu-focal", TOXENV: "py38"} - - {IMAGE: "ubuntu-jammy", TOXENV: "py310"} - - {IMAGE: "ubuntu-rolling", TOXENV: "py310"} - - {IMAGE: "fedora", TOXENV: "py311"} - - {IMAGE: "alpine", TOXENV: "py310"} - - {IMAGE: "centos-stream9", TOXENV: "py39"} - name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" + - {IMAGE: "rhel8", TOXENV: "py36", RUNNER: "ubuntu-latest"} + - {IMAGE: "rhel8-fips", TOXENV: "py36", RUNNER: "ubuntu-latest", FIPS: true} + - {IMAGE: "rhel8", TOXENV: "py38", RUNNER: "ubuntu-latest"} + - {IMAGE: "rhel8-fips", TOXENV: "py38", RUNNER: "ubuntu-latest", FIPS: true} + - {IMAGE: "buster", TOXENV: "py37", RUNNER: "ubuntu-latest"} + - {IMAGE: "bullseye", TOXENV: "py39", RUNNER: "ubuntu-latest"} + - {IMAGE: "bookworm", TOXENV: "py310", RUNNER: "ubuntu-latest"} + - {IMAGE: "sid", TOXENV: "py311", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-bionic", TOXENV: "py36", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-focal", TOXENV: "py38", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-jammy", TOXENV: "py310", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-rolling", TOXENV: "py310", RUNNER: "ubuntu-latest"} + - {IMAGE: "fedora", TOXENV: "py311", RUNNER: "ubuntu-latest"} + - {IMAGE: "alpine", TOXENV: "py310", RUNNER: "ubuntu-latest"} + - {IMAGE: "centos-stream9", TOXENV: "py39", RUNNER: "ubuntu-latest"} + + - {IMAGE: "ubuntu-jammy:aarch64", TOXENV: "py310", RUNNER: [self-hosted, Linux, ARM64]} + - {IMAGE: "alpine:aarch64", TOXENV: "py310", RUNNER: [self-hosted, Linux, ARM64]} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - name: Ridiculous alpine workaround for actions support on arm64 + run: | + # This modifies /etc/os-release so the JS actions + # from GH can't detect that it's on alpine:aarch64. It will + # then use a glibc nodejs, which works fine when gcompat + # is installed in the container (which it is) + sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release + if: matrix.IMAGE.IMAGE == 'alpine:aarch64' + + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -159,9 +170,9 @@ jobs: ~/.cargo/registry/src/ ~/.cargo/git/db/ src/rust/target/ - key: ${{ runner.os }}-${{ matrix.IMAGE.IMAGE }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} + key: ${{ runner.os }}-${{ matrix.IMAGE.IMAGE }}-${{ runner.arch }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" @@ -175,6 +186,7 @@ jobs: echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV if: matrix.IMAGE.FIPS + - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt tox coverage - run: '/venv/bin/tox -vvv -- --wycheproof-root="wycheproof"' env: TOXENV: ${{ matrix.IMAGE.TOXENV }} @@ -201,14 +213,15 @@ jobs: # Potential future MSRVs # 1.51 - const generics (for rust-asn1) # 1.56 - new versions of once_cell and bumpalo + # 1.60 - new version of cxx name: "${{ matrix.PYTHON.TOXENV }} with Rust ${{ matrix.RUST }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -222,19 +235,19 @@ jobs: key: ${{ runner.os }}-cargo-3-${{ hashFiles('**/Cargo.lock') }}-${{ matrix.RUST }} - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - - uses: dtolnay/rust-toolchain@e645b0cf01249a964ec099494d38d2da0f0b349f + - uses: dtolnay/rust-toolchain@ce8f65846d7180d2ce63b1e74483d981800b9e22 with: toolchain: ${{ matrix.RUST }} - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" path: "wycheproof" ref: "master" - - run: python -m pip install tox coverage[toml] + - run: python -m pip install -c ci-constraints-requirements.txt tox coverage[toml] - name: Tests run: | tox -vvv -r -- --color=yes --wycheproof-root=wycheproof @@ -254,12 +267,14 @@ jobs: - nightly name: "Rust Coverage" timeout-minutes: 15 + env: + CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 id: cargo-cache timeout-minutes: 5 with: @@ -274,23 +289,23 @@ jobs: key: ${{ runner.os }}-cargo-3-${{ hashFiles('**/Cargo.lock') }}-rust-${{ matrix.RUST }}-coverage - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - - uses: dtolnay/rust-toolchain@e645b0cf01249a964ec099494d38d2da0f0b349f + - uses: dtolnay/rust-toolchain@ce8f65846d7180d2ce63b1e74483d981800b9e22 with: toolchain: ${{ matrix.RUST }} components: llvm-tools-preview - run: cargo install cargo-binutils if: steps.cargo-cache.outputs.cache-hit != 'true' - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" path: "wycheproof" ref: "master" - - run: python -m pip install tox coverage[toml] + - run: python -m pip install -c ci-constraints-requirements.txt tox coverage[toml] - name: Tests run: | tox -vvv -r -- --color=yes --wycheproof-root=wycheproof @@ -331,21 +346,28 @@ jobs: - uses: ./.github/actions/upload-coverage macos: - runs-on: macos-12 + runs-on: ${{ matrix.RUNNER.OS }} strategy: fail-fast: false matrix: + RUNNER: + - {OS: 'macos-12', ARCH: 'x86_64'} + - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} PYTHON: - {VERSION: "3.6", TOXENV: "py36", EXTRA_CFLAGS: ""} - - {VERSION: "3.10", TOXENV: "py310", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"} - name: "${{ matrix.PYTHON.TOXENV }} on macOS" + - {VERSION: "3.11", TOXENV: "py311", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"} + exclude: + # We only test latest Python on arm64. The py36 won't work since there's no universal2 binary + - PYTHON: {VERSION: "3.6", TOXENV: "py36", EXTRA_CFLAGS: ""} + RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + name: "${{ matrix.PYTHON.TOXENV }} on macOS ${{ matrix.RUNNER.ARCH }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -356,16 +378,17 @@ jobs: ~/.cargo/registry/src/ ~/.cargo/git/db/ src/rust/target/ - key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-${{ matrix.PYTHON.VERSION }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} + architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 - - run: python -m pip install tox requests coverage[toml] + - run: python -m pip install -c ci-constraints-requirements.txt tox requests coverage[toml] - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" @@ -381,7 +404,7 @@ jobs: run: | CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \ LDFLAGS="${HOME}/openssl-macos-universal2/lib/libcrypto.a ${HOME}/openssl-macos-universal2/lib/libssl.a" \ - CFLAGS="-I${HOME}/openssl-macos-universal2/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12 -march=core2 $EXTRA_CFLAGS" \ + CFLAGS="-I${HOME}/openssl-macos-universal2/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12 $EXTRA_CFLAGS" \ tox -vvv -r -- --color=yes --wycheproof-root=wycheproof env: TOXENV: ${{ matrix.PYTHON.TOXENV }} @@ -405,17 +428,17 @@ jobs: name: "${{ matrix.PYTHON.TOXENV }} on ${{ matrix.WINDOWS.WINDOWS }} (part ${{ matrix.JOB_NUMBER }})" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -428,7 +451,7 @@ jobs: src/rust/target/ key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} - - run: python -m pip install tox requests coverage[toml] + - run: python -m pip install -c ci-constraints-requirements.txt "tox>3" requests coverage[toml] - name: Download OpenSSL run: | python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }} @@ -438,7 +461,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} shell: bash - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: repository: "google/wycheproof" @@ -469,15 +492,15 @@ jobs: - mitmproxy - scapy PYTHON: - - 3.9 + - '3.11' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false - - uses: actions/cache@v3.2.2 + - uses: actions/cache@v3.2.3 timeout-minutes: 5 with: path: | @@ -491,7 +514,7 @@ jobs: key: ${{ runner.os }}-cargo-3-${{ hashFiles('**/Cargo.lock') }} - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON }} - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install @@ -523,14 +546,14 @@ jobs: name: "linkcheck" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 with: persist-credentials: false - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: 3.11 - - run: python -m pip install -U tox + - run: python -m pip install -c ci-constraints-requirements.txt tox - run: tox -r -- --color=yes env: TOXENV: docs-linkcheck @@ -541,7 +564,7 @@ jobs: needs: [linux, linux-distros, linux-rust, linux-rust-coverage, macos, windows, linux-downstream] if: ${{ always() }} steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 timeout-minutes: 3 with: persist-credentials: false @@ -551,14 +574,14 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: '3.10' - - run: pip install coverage[toml] + - run: pip install -c ci-constraints-requirements.txt coverage[toml] if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@v3.0.1 + uses: actions/download-artifact@v3.0.2 with: name: coverage-data - name: Combine coverage and fail if it's <100%. @@ -600,14 +623,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@v3.1.2 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@v3.1.2 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/macarm64.yml b/.github/workflows/macarm64.yml deleted file mode 100644 index 71c1419a279f..000000000000 --- a/.github/workflows/macarm64.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: macOS arm64 CI -on: - push: - branches: - - main - - '*.*.x' - tags: - - '*.*' - - '*.*.*' - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - -jobs: - macos-arm64: - if: github.repository_owner == 'pyca' - runs-on: [self-hosted, macos, ARM64] - name: "macOS arm64" - strategy: - fail-fast: false - matrix: - PYTHON: - - {TOXENV: "py310", BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.10/bin/python3'} - timeout-minutes: 10 - steps: - - name: "Delete workspace" # self-hosted runners need this, sigh - run: gfind ! -name '.' ! -name '..' -delete - - uses: actions/checkout@v3.2.0 - with: - persist-credentials: false - - uses: actions/cache@v3.2.2 - with: - path: | - src/rust/target/ - key: ${{ runner.os }}-${{ matrix.PYTHON.TOXENV }}-cargo-macarm64-${{ hashFiles('**/Cargo.lock') }} - - - uses: actions/checkout@v3.2.0 - with: - repository: "google/wycheproof" - path: "wycheproof" - ref: "master" - - name: Setup venv and install deps - run: | - $BIN_PATH -m venv venv - venv/bin/python -m pip install tox requests - env: - BIN_PATH: ${{ matrix.PYTHON.BIN_PATH }} - - name: Download OpenSSL - run: | - venv/bin/python .github/workflows/download_openssl.py macos openssl-macos-universal2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tests - run: | - CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \ - LDFLAGS="${HOME}/openssl-macos-universal2/lib/libcrypto.a ${HOME}/openssl-macos-universal2/lib/libssl.a" \ - CFLAGS="-I${HOME}/openssl-macos-universal2/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function $EXTRA_CFLAGS" \ - venv/bin/tox -r -- --color=yes --wycheproof-root=wycheproof - env: - TOXENV: ${{ matrix.PYTHON.TOXENV }} - CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 9bf72146de86..2c575efb7a3f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -37,18 +37,18 @@ jobs: run: .venv/bin/python setup.py sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python setup.py sdist bdist_wheel - - uses: actions/upload-artifact@v3.1.1 + - uses: actions/upload-artifact@v3.1.2 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@v3.1.1 + - uses: actions/upload-artifact@v3.1.2 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* manylinux: needs: [sdist] - runs-on: ubuntu-latest + runs-on: ${{ matrix.MANYLINUX.RUNNER }} container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} strategy: fail-fast: false @@ -58,19 +58,47 @@ jobs: - { VERSION: "pp38-pypy38_pp73" } - { VERSION: "pp39-pypy39_pp73" } MANYLINUX: - - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64" } - - { NAME: "manylinux_2_24_x86_64", CONTAINER: "cryptography-manylinux_2_24:x86_64"} - - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64"} - - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"} + - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } + - { NAME: "manylinux_2_24_x86_64", CONTAINER: "cryptography-manylinux_2_24:x86_64", RUNNER: "ubuntu-latest"} + - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} + - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} + + - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } + - { NAME: "manylinux_2_24_aarch64", CONTAINER: "cryptography-manylinux_2_24:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"} + MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp39-pypy39_pp73" } + MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp38-pypy38_pp73" } + MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp39-pypy39_pp73" } + MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + # We also don't build pypy wheels for anything except the latest manylinux + - PYTHON: { VERSION: "pp38-pypy38_pp73" } + MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"} + MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp38-pypy38_pp73" } + MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp39-pypy39_pp73" } + MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp38-pypy38_pp73" } name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: - - uses: actions/download-artifact@v3.0.1 + - name: Ridiculous alpine workaround for actions support on arm64 + run: | + # This modifies /etc/os-release so the JS actions + # from GH can't detect that it's on alpine:aarch64. It will + # then use a glibc nodejs, which works fine when gcompat + # is installed in the container (which it is) + sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release + if: matrix.MANYLINUX.NAME == 'musllinux_1_1_aarch64' + + - uses: actions/download-artifact@v3.0.2 with: name: cryptography-sdist @@ -104,7 +132,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@v3.1.1 + - uses: actions/upload-artifact@v3.1.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}" path: cryptography-wheelhouse/ @@ -151,12 +179,12 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: # Needed for download_openssl.py - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false - - uses: actions/download-artifact@v3.0.1 + - uses: actions/download-artifact@v3.0.2 with: name: cryptography-sdist @@ -168,17 +196,17 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -U requests + - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -c ci-constraints-requirements.txt -U requests - name: Download OpenSSL run: | ${{ matrix.PYTHON.BIN_PATH }} .github/workflows/download_openssl.py macos openssl-macos-universal2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@e645b0cf01249a964ec099494d38d2da0f0b349f + - uses: dtolnay/rust-toolchain@ce8f65846d7180d2ce63b1e74483d981800b9e22 with: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) @@ -209,7 +237,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@v3.1.1 + - uses: actions/upload-artifact@v3.1.2 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -236,26 +264,26 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: # Needed for download_openssl.py - - uses: actions/checkout@v3.2.0 + - uses: actions/checkout@v3.3.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} persist-credentials: false - - uses: actions/download-artifact@v3.0.1 + - uses: actions/download-artifact@v3.0.2 with: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@v4.4.0 + uses: actions/setup-python@v4.5.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@e645b0cf01249a964ec099494d38d2da0f0b349f + - uses: dtolnay/rust-toolchain@ce8f65846d7180d2ce63b1e74483d981800b9e22 with: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - run: pip install requests + - run: pip install -c ci-constraints-requirements.txt requests - name: Download OpenSSL run: | python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }} @@ -277,7 +305,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@v3.1.1 + - uses: actions/upload-artifact@v3.1.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}" path: cryptography-wheelhouse\ diff --git a/MANIFEST.in b/MANIFEST.in index 8471d75785ab..62699330e9b2 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -19,6 +19,4 @@ recursive-exclude vectors * recursive-exclude .github * -exclude release.py .readthedocs.yml dev-requirements.txt tox.ini mypy.ini - -recursive-exclude .circleci * +exclude release.py .readthedocs.yml ci-constraints-requirements.txt tox.ini mypy.ini diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt new file mode 100644 index 000000000000..e7eb850fa86e --- /dev/null +++ b/ci-constraints-requirements.txt @@ -0,0 +1,230 @@ +# This is named ambigiously, but it's a pip constraints file, named like a +# requirements file so dependabot will update the pins. +# It was originally generated with; +# pip-compile --extra=docs --extra=docstest --extra=pep8test --extra=test --extra=test-randomorder --extra=tox --resolver=backtracking --strip-extras --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools setup.cfg +# and then manually massaged to add version specifiers to packages whose +# versions vary by Python version + +alabaster==0.7.13 + # via sphinx +attrs==22.2.0 + # via + # hypothesis + # pytest +babel==2.11.0 + # via sphinx +black==22.12.0 + # via cryptography (setup.cfg) +bleach==6.0.0 + # via readme-renderer +build==0.10.0 + # via check-manifest +cachetools==5.3.0 + # via tox +certifi==2022.12.7 + # via requests +chardet==5.1.0 + # via tox +charset-normalizer==3.0.1; python_version >= "3.7" + # via requests +check-manifest==0.49 + # via cryptography (setup.cfg) +click==8.1.3 + # via black +colorama==0.4.6; python_version >= "3.7" + # via tox +coverage==7.1.0; python_version >= "3.7" + # via pytest-cov +distlib==0.3.6 + # via virtualenv +docutils==0.17.1 + # via + # readme-renderer + # sphinx + # sphinx-rtd-theme +exceptiongroup==1.1.0 + # via + # hypothesis + # pytest +execnet==1.9.0 + # via pytest-xdist +filelock==3.9.0; python_version >= "3.7" + # via + # tox + # virtualenv +hypothesis==6.65.2; python_version >= "3.7" + # via cryptography (setup.cfg) +idna==3.4 + # via requests +imagesize==1.4.1 + # via sphinx +importlib-metadata==6.0.0; python_version >= "3.7" + # via + # keyring + # twine +iniconfig==2.0.0; python_version >= "3.7" + # via pytest +iso8601==1.1.0 + # via cryptography (setup.cfg) +jaraco-classes==3.2.3 + # via keyring +jinja2==3.1.2 + # via sphinx +keyring==23.13.1 + # via twine +markdown-it-py==2.1.0 + # via rich +markupsafe==2.1.2 + # via jinja2 +mdurl==0.1.2 + # via markdown-it-py +more-itertools==9.0.0 + # via jaraco-classes +mypy==0.991 + # via cryptography (setup.cfg) +mypy-extensions==0.4.3 + # via + # black + # mypy +packaging==23.0; python_version >= "3.7" + # via + # build + # pyproject-api + # pytest + # sphinx + # tox +pathspec==0.11.0 + # via black +pkginfo==1.9.6 + # via twine +platformdirs==2.6.2; python_version >= "3.7" + # via + # black + # tox + # virtualenv +pluggy==1.0.0; python_version >= "3.7" + # via + # pytest + # tox +pretend==1.0.9 + # via cryptography (setup.cfg) +py-cpuinfo==9.0.0 + # via pytest-benchmark +pyenchant==3.2.2 + # via + # cryptography (setup.cfg) + # sphinxcontrib-spelling +pygments==2.14.0 + # via + # readme-renderer + # rich + # sphinx +pyproject-api==1.5.0 + # via tox +pyproject-hooks==1.0.0 + # via build +pytest==7.2.1; python_version >= "3.7" + # via + # cryptography (setup.cfg) + # pytest-benchmark + # pytest-cov + # pytest-randomly + # pytest-shard + # pytest-subtests + # pytest-xdist +pytest-benchmark==4.0.0; python_version >= "3.7" + # via cryptography (setup.cfg) +pytest-cov==4.0.0 + # via cryptography (setup.cfg) +pytest-randomly==3.12.0 + # via cryptography (setup.cfg) +pytest-shard==0.1.2 + # via cryptography (setup.cfg) +pytest-subtests==0.9.0; python_version >= "3.7" + # via cryptography (setup.cfg) +pytest-xdist==3.1.0; python_version >= "3.7" + # via cryptography (setup.cfg) +pytz==2022.7.1 + # via + # babel + # cryptography (setup.cfg) +readme-renderer==37.3 + # via twine +requests==2.28.2; python_version >= "3.7" + # via + # requests-toolbelt + # sphinx + # twine +requests-toolbelt==0.10.1 + # via twine +rfc3986==2.0.0 + # via twine +rich==13.3.0 + # via twine +ruff==0.0.236 + # via cryptography (setup.cfg) +six==1.16.0 + # via bleach +snowballstemmer==2.2.0 + # via sphinx +sortedcontainers==2.4.0 + # via hypothesis +sphinx==5.3.0 + # via + # cryptography (setup.cfg) + # sphinx-rtd-theme + # sphinxcontrib-spelling +sphinx-rtd-theme==1.1.1 + # via cryptography (setup.cfg) +sphinxcontrib-applehelp==1.0.4 + # via sphinx +sphinxcontrib-devhelp==1.0.2 + # via sphinx +sphinxcontrib-htmlhelp==2.0.0 + # via sphinx +sphinxcontrib-jsmath==1.0.1 + # via sphinx +sphinxcontrib-qthelp==1.0.3 + # via sphinx +sphinxcontrib-serializinghtml==1.1.5 + # via sphinx +sphinxcontrib-spelling==7.7.0 + # via cryptography (setup.cfg) +tomli==2.0.1; python_version >= "3.7" + # via + # black + # build + # check-manifest + # coverage + # mypy + # pyproject-api + # pyproject-hooks + # pytest + # tox +tox==4.4.2; python_version >= "3.7" + # via cryptography (setup.cfg) +twine==4.0.2 + # via cryptography (setup.cfg) +types-pytz==2022.7.1.0 + # via cryptography (setup.cfg) +types-requests==2.28.11.8 + # via cryptography (setup.cfg) +types-urllib3==1.26.25.4 + # via types-requests +typing-extensions==4.4.0; python_version >= "3.7" + # via mypy +urllib3==1.26.14 + # via + # requests + # twine +virtualenv==20.17.1 + # via tox +webencodings==0.5.1 + # via bleach +zipp==3.12.0; python_version >= "3.7" + # via importlib-metadata + +# The following packages are considered to be unsafe in a requirements file: +# cffi +# pycparser +# setuptools diff --git a/dev-requirements.txt b/dev-requirements.txt deleted file mode 100644 index 41d533168eda..000000000000 --- a/dev-requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -click -tox >= 2.4.1 -twine >= 1.8.0 --e .[test,docs,docstest,pep8test] --e vectors diff --git a/setup.cfg b/setup.cfg index 7a78922c0e2d..8a22fec8b068 100644 --- a/setup.cfg +++ b/setup.cfg @@ -55,8 +55,11 @@ exclude = _cffi_src.* [options.extras_require] +tox = + tox test = pytest>=6.2.0 + pytest-shard>=0.1.2 pytest-benchmark pytest-cov pytest-subtests @@ -65,9 +68,11 @@ test = iso8601 pytz hypothesis>=1.11.4,!=3.79.2 +test-randomorder: + pytest-randomly docs = - sphinx >= 1.6.5,!=1.8.0,!=3.1.0,!=3.1.1,!=5.2.0,!=5.2.0.post0 - sphinx_rtd_theme + sphinx >= 5.3.0 + sphinx-rtd-theme>=1.1.1 docstest = pyenchant >= 1.6.11 twine >= 1.12.0 @@ -77,6 +82,10 @@ sdist = pep8test = black ruff + mypy + types-pytz + types-requests + check-manifest # This extra is for OpenSSH private keys that use bcrypt KDF # Versions: v3.1.3 - ignore_few_rounds, v3.1.5 - abi3 ssh = diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 863973fc0d08..838bda2903ec 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -51,7 +51,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *, X509V3_CTX *, const char *, const char *); -void *X509V3_set_ctx_nodb(X509V3_CTX *); +void X509V3_set_ctx_nodb(X509V3_CTX *); int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *); GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int); diff --git a/tox.ini b/tox.ini index fc30b72f101c..b369da8e9f79 100644 --- a/tox.ini +++ b/tox.ini @@ -6,10 +6,9 @@ isolated_build = True extras = test ssh: ssh + randomorder: test-randomorder deps = -e ./vectors - pytest-shard>=0.1.2 - randomorder: pytest-randomly passenv = ARCHFLAGS LDFLAGS @@ -26,6 +25,8 @@ passenv = CRYPTOGRAPHY_OPENSSL_NO_LEGACY OPENSSL_ENABLE_SHA1_SIGNATURES CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS +setenv = + PIP_CONSTRAINT=ci-constraints-requirements.txt commands = pip list !nocoverage: pytest -n auto --cov=cryptography --cov=tests --durations=10 {posargs} tests/ @@ -59,11 +60,6 @@ extras = pep8test test ssh -deps = - mypy - types-pytz - types-requests - check-manifest commands = ruff . black --check .