# This action uses the following secrets: # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only. name: Test Shared libraries on: pull_request: paths-ignore: - '**.md' - eslint.config.mjs - '**/eslint.config_partial.mjs' - android-configure - android-configure.py - android-patches/** - benchmarks/** - codecov.yml - deps/ada/** - deps/brotli/** - deps/cares/** - deps/crates/** - deps/corepack/** - deps/googletest/** - deps/histogram/** - deps/icu-small/** - deps/icu-tmp/** - deps/llhttp/** - deps/merve/** - deps/nbytes/** - deps/nghttp2/** - deps/ngtcp2/** - deps/openssl/*/** - deps/simdjson/** - deps/sqlite/** - deps/uv/** - deps/uvwasi/** - deps/zlib/** - deps/zstd/** - doc/** - pyproject.yml - tsconfig.json - test/internet/** - tools/** - '!tools/gyp/**' - '!tools/nix/**' - '!tools/v8/**' - '!tools/v8_gypfiles/**' - typings/** - vcbuild.bat - .** - '!.github/workflows/test-shared.yml' - '!.github/actions/build-shared/**' types: [opened, synchronize, reopened, ready_for_review] push: branches: - main - canary - v[0-9]+.x-staging - v[0-9]+.x paths-ignore: - '**.md' - eslint.config.mjs - '**/eslint.config_partial.mjs' - android-configure - android-configure.py - android-patches/** - benchmarks/** - codecov.yml - deps/ada/** - deps/brotli/** - deps/cares/** - deps/crates/** - deps/corepack/** - deps/googletest/** - deps/histogram/** - deps/icu-small/** - deps/icu-tmp/** - deps/llhttp/** - deps/merve/** - deps/nbytes/** - deps/nghttp2/** - deps/ngtcp2/** - deps/openssl/*/** - deps/simdjson/** - deps/sqlite/** - deps/uv/** - deps/uvwasi/** - deps/zlib/** - deps/zstd/** - doc/** - pyproject.yml - tsconfig.json - test/internet/** - tools/** - '!tools/gyp/**' - '!tools/nix/**' - '!tools/v8/**' - '!tools/v8_gypfiles/**' - typings/** - vcbuild.bat - .** - '!.github/workflows/test-shared.yml' - '!.github/actions/build-shared/**' concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true env: FLAKY_TESTS: keep_retrying permissions: contents: read jobs: build-tarball: if: github.event.pull_request.draft == false name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} runs-on: ubuntu-slim steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Make tarball run: | export DATESTRING=$(date "+%Y-%m-%d") export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 env: DISTTYPE: nightly - name: Upload tarball artifact uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: tarballs path: '*.tar.gz' compression-level: 0 build: needs: build-tarball strategy: fail-fast: false matrix: include: - runner: ubuntu-24.04 system: x86_64-linux # built separately in build-aarch64-linux-v8 # - runner: ubuntu-24.04-arm # system: aarch64-linux - runner: macos-15-intel system: x86_64-darwin - runner: macos-latest system: aarch64-darwin name: '${{ matrix.system }}: with shared libraries' runs-on: ${{ matrix.runner }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false sparse-checkout: .github/actions sparse-checkout-cone-mode: false - uses: ./.github/actions/build-shared name: Build and test Node.js with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} extra-nix-flags: | --arg useSeparateDerivationForV8 true \ ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} build-aarch64-linux-v8: needs: build-tarball runs-on: ubuntu-24.04-arm name: 'aarch64-linux: Cache V8 build' outputs: local-cache: ${{ steps.upload.outcome != 'skipped' && 'true' || '' }} matrix: ${{ steps.query.outputs.matrix }} env: HAS_CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN && 'true' }} steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: tarballs path: tarballs - name: Extract tarball shell: bash run: | tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5 with: extra_nix_config: sandbox = true - name: Evaluate V8 derivation, check its cache status id: v8-drv run: | V8_DRV=$( nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs" ) V8_STORE_PATH=$(nix-store -q --outputs "$V8_DRV") echo "V8_DRV=$V8_DRV" >> "$GITHUB_OUTPUT" set -x [ "$(curl -ISsw "%{http_code}" -o /dev/null "https://nodejs.cachix.org/$(basename ${V8_STORE_PATH%-v8-*}).narinfo")" != "200" ] || echo "ALREADY_CACHED=true" >> "$GITHUB_OUTPUT" - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' }} with: name: nodejs authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} - name: Build V8 to cache it if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' }} run: nix-store --export "$(nix-build "$V8_DRV")" > libv8-aarch64-linux.nar env: V8_DRV: ${{ steps.v8-drv.outputs.V8_DRV }} - name: Upload libv8-aarch64-linux.nar if: ${{ steps.v8-drv.outputs.ALREADY_CACHED != 'true' && env.HAS_CACHIX_AUTH_TOKEN != 'true' }} id: upload uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: libv8-aarch64-linux.nar path: libv8-aarch64-linux.nar - name: Collect matrix of support OpenSSL versions id: query run: | echo "matrix=$( nix-instantiate --eval --strict --json -E " let matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix {}; in builtins.map (attr: { inherit attr; inherit (builtins.getAttr attr matrix) name; }) (builtins.attrNames matrix) " )" >> "$GITHUB_OUTPUT" # Builds and tests Node.js with shared libraries against every supported # OpenSSL release version available in the repo-pinned nixpkgs. The default # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix # entry, while all other shared libs remain at their defaults. Only runs on # a single runner/system (aarch64-linux) to keep the matrix to a minimum. build-openssl: needs: build-aarch64-linux-v8 strategy: fail-fast: false matrix: openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }} name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}' runs-on: ubuntu-24.04-arm continue-on-error: false env: OPENSSL_ATTR: ${{ matrix.openssl.attr }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false sparse-checkout: .github/actions sparse-checkout-cone-mode: false - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 if: ${{ needs.build-aarch64-linux-v8.outputs.local-cache }} with: name: libv8-aarch64-linux.nar - uses: ./.github/actions/build-shared name: Build and test Node.js with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} # Override just the `openssl` attr of the default shared-lib set with # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All # other shared libs (brotli, cares, libuv, …) keep their defaults. # `permittedInsecurePackages` whitelists just the matrix-selected # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support # cycles evaluate without relaxing nixpkgs' meta check globally. extra-nix-flags: | --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \ --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR; }" \