Speed up CI and stabilize aws-ca-regression

.github/actions/build-wolfssl/action.yml

@@ -0,0 +1,92 @@
+name: 'Build wolfSSL'
+description: >
+  Clone, build, cache and install wolfSSL (autotools) into /usr/local.
+  The build is keyed on the live wolfssl master commit plus the requested
+  configure options, so it is rebuilt only when wolfssl master advances or
+  the options change. Caches created on master are readable by pull-request
+  jobs, so PRs typically get an instant cache hit.
+
+inputs:
+  config:
+    description: 'wolfSSL configure options'
+    required: false
+    default: '--enable-enckeys'
+  cflags:
+    description: 'Extra CFLAGS for the wolfSSL build'
+    required: false
+    default: ''
+  cc:
+    description: 'CC override, e.g. "gcc -fsanitize=address" (empty = default)'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Resolve wolfSSL master revision and cache key
+      id: rev
+      shell: bash
+      run: |
+        set -e
+        sha=$(git ls-remote https://github.com/wolfssl/wolfssl refs/heads/master | cut -f1)
+        if [ -z "$sha" ]; then
+          echo "ERROR: failed to resolve wolfssl master SHA" >&2
+          exit 1
+        fi
+        echo "sha=$sha" >> "$GITHUB_OUTPUT"
+        # Key on the specific runner image (e.g. ubuntu22 vs ubuntu24) not
+        # just the OS, so a binary built against a newer glibc is not
+        # restored onto an older image. Falls back to runner.os if unset.
+        echo "image=${ImageOS:-${{ runner.os }}}" >> "$GITHUB_OUTPUT"
+        # Hash the build options so different configs do not share a cache.
+        # sha256sum is absent on some runners (e.g. macOS); fall back to shasum.
+        opts="${{ inputs.config }}|${{ inputs.cflags }}|${{ inputs.cc }}"
+        if command -v sha256sum >/dev/null 2>&1; then
+          optkey=$(printf '%s' "$opts" | sha256sum | cut -c1-12)
+        else
+          optkey=$(printf '%s' "$opts" | shasum -a 256 | cut -c1-12)
+        fi
+        echo "optkey=$optkey" >> "$GITHUB_OUTPUT"
+
+    - name: Cache wolfSSL
+      id: cache
+      uses: actions/cache@v4
+      with:
+        path: ~/wolfssl-install
+        key: wolfssl-${{ steps.rev.outputs.image }}-${{ steps.rev.outputs.sha }}-${{ steps.rev.outputs.optkey }}
+
+    - name: Build wolfSSL
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        set -e
+        cd "$HOME"
+        rm -rf wolfssl-src
+        mkdir wolfssl-src
+        cd wolfssl-src
+        # Check out the exact commit the cache key was computed from, so the
+        # artifact saved under that key matches even if master advanced
+        # between resolving the SHA and cloning.
+        git init -q
+        git remote add origin https://github.com/wolfssl/wolfssl.git
+        git fetch -q --depth 1 origin "${{ steps.rev.outputs.sha }}"
+        git checkout -q FETCH_HEAD
+        ./autogen.sh
+        jobs=$(getconf _NPROCESSORS_ONLN 2>/dev/null || echo 2)
+        if [ -n "${{ inputs.cc }}" ]; then
+          ./configure --prefix="$HOME/wolfssl-install" ${{ inputs.config }} \
+            CC="${{ inputs.cc }}" CFLAGS="${{ inputs.cflags }}"
+        else
+          ./configure --prefix="$HOME/wolfssl-install" ${{ inputs.config }} \
+            CFLAGS="${{ inputs.cflags }}"
+        fi
+        make -j"$jobs"
+        make install
+
+    - name: Install wolfSSL into /usr/local
+      shell: bash
+      run: |
+        set -e
+        sudo cp -a "$HOME/wolfssl-install/." /usr/local/
+        # ldconfig is Linux-only; macOS resolves via the cached prefix path.
+        sudo ldconfig || true

.github/workflows/broker-check.yml

@@ -6,9 +6,39 @@ on:
   pull_request:
     branches: [ '*' ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  build:
+  # Build wolfSSL once per distinct configuration and populate the shared
+  # cache. The matrix below covers every wolfssl_opts value used by the
+  # broker build matrix. The build jobs `needs:` this job, so by the time
+  # they run the cache is warm and each restores instead of rebuilding --
+  # turning ~17 wolfSSL builds per run into 3, even on the first run.
+  wolfssl:
+    name: "Build wolfSSL (${{ matrix.label }})"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: "enckeys"
+            config: "--enable-enckeys"
+          - label: "opensslcoexist"
+            config: "--enable-opensslcoexist"
+          - label: "opensslcoexist+enckeys"
+            config: "--enable-opensslcoexist --enable-enckeys"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build and cache wolfSSL
+        uses: ./.github/actions/build-wolfssl
+        with:
+          config: ${{ matrix.config }}
 
+  build:
+    needs: wolfssl
     runs-on: ubuntu-22.04
     timeout-minutes: 5
 
@@ -48,21 +78,14 @@ jobs:
             extra_deps: "libwebsockets-dev"
             wolfssl_opts: "--enable-opensslcoexist --enable-enckeys"
           # Maximum-QoS matrix. WOLFMQTT_MAX_QOS=2 is the default and runs
-          # the full broker.test. =1 and =0 caps compile out the QoS 2
-          # state machine; broker.test exercises QoS 2 pub/sub (tests 3
-          # and 11) which is intentionally rejected on capped builds, so
-          # those entries are build-only.
+          # the full broker.test. The =1 and =0 caps are build-only (they
+          # compile out the QoS 2 state machine, which broker.test
+          # intentionally exercises); their compile coverage is provided by
+          # cmake-build.yml's WOLFMQTT_MAX_QOS matrix, so they are not
+          # duplicated here.
           - name: "Broker MAX_QOS=2 (default, full QoS)"
             cflags: ""
             wolfmqtt_opts: "--enable-v5 --enable-broker --enable-max-qos=2"
-          - name: "Broker MAX_QOS=1 (build only)"
-            cflags: ""
-            wolfmqtt_opts: "--enable-v5 --enable-broker --enable-max-qos=1"
-            skip_broker_test: "yes"
-          - name: "Broker MAX_QOS=0 (build only)"
-            cflags: ""
-            wolfmqtt_opts: "--enable-v5 --enable-broker --enable-max-qos=0"
-            skip_broker_test: "yes"
           - name: "Broker v5 (ordering / Receive Maximum)"
             cflags: ""
             wolfmqtt_opts: "--enable-broker --enable-v5"
@@ -92,24 +115,13 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y mosquitto-clients ${{ matrix.extra_deps }}
 
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
+
+    - name: Build and install wolfSSL
+      uses: ./.github/actions/build-wolfssl
       with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
-    - name: wolfssl autogen
-      working-directory: ./wolfssl
-      run: ./autogen.sh
-    - name: wolfssl configure
-      working-directory: ./wolfssl
-      run: ./configure ${{ matrix.wolfssl_opts || '--enable-enckeys' }}
-    - name: wolfssl make
-      working-directory: ./wolfssl
-      run: make
-    - name: wolfssl make install
-      working-directory: ./wolfssl
-      run: sudo make install
+        config: ${{ matrix.wolfssl_opts || '--enable-enckeys' }}
 
-    - uses: actions/checkout@master
     - name: wolfmqtt autogen
       run: ./autogen.sh
 

.github/workflows/cmake-build.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ '*' ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
 
@@ -34,22 +38,45 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y cmake
 
-#pull and build wolfssl
-    - uses: actions/checkout@master
+#pull and build wolfssl (cached, keyed on the live wolfssl master commit)
+    - name: Resolve wolfSSL master SHA
+      id: wolfssl-sha
+      run: |
+        set -e
+        sha=$(git ls-remote https://github.com/wolfssl/wolfssl refs/heads/master | cut -f1)
+        if [ -z "$sha" ]; then echo "ERROR: failed to resolve wolfssl master SHA" >&2; exit 1; fi
+        echo "sha=$sha" >> "$GITHUB_OUTPUT"
+
+    - name: Cache wolfSSL
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: ~/wolfssl-install
+        key: wolfssl-cmake-${{ steps.wolfssl-sha.outputs.sha }}
+
+    - uses: actions/checkout@v4
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       with:
         repository: wolfssl/wolfssl
         path: wolfssl
+        ref: ${{ steps.wolfssl-sha.outputs.sha }}
     - name: Build wolfssl
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
       run: |
         mkdir build
         cd build
-        cmake ..
+        cmake -DCMAKE_INSTALL_PREFIX=$HOME/wolfssl-install ..
         cmake --build .
-        sudo cmake --install .
+        cmake --install .
+
+    - name: Install wolfSSL into /usr/local
+      run: |
+        sudo cp -a $HOME/wolfssl-install/. /usr/local/
+        sudo ldconfig
 
 #pull wolfMQTT
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
 
 #build wolfMQTT
     - name: "Build wolfMQTT (${{ matrix.name }})"

.github/workflows/docker-Espressif.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ '*' ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   espressif_latest:
     name: latest Docker container

.github/workflows/fsanitize-check.yml

@@ -6,11 +6,16 @@ on:
   pull_request:
     branches: [ '*' ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
 
     runs-on: ubuntu-22.04
-    timeout-minutes: 5
+    # 10 min: runs 5 configure/make/make-check cycles under ASan.
+    timeout-minutes: 10
     env:
       WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1
 
@@ -36,23 +41,13 @@ jobs:
         sudo route
         sudo netstat -tulpan
 
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
+
+    - name: Build and install wolfSSL
+      uses: ./.github/actions/build-wolfssl
       with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
-    - name: wolfssl autogen
-      working-directory: ./wolfssl
-      run: ./autogen.sh
-    - name: wolfssl configure
-      working-directory: ./wolfssl
-      run: ./configure --enable-enckeys
-    - name: wolfssl make
-      working-directory: ./wolfssl
-      run: make
-    - name: wolfssl make install
-      working-directory: ./wolfssl
-      run: sudo make install
-    - uses: actions/checkout@master
+        config: "--enable-enckeys"
+
     - name: autogen
       run: ./autogen.sh
 

.github/workflows/fuzz.yml

@@ -2,7 +2,7 @@ name: Fuzz Testing
 
 on:
   schedule:
-    - cron: '0 4 * * 1'  # Weekly Monday 4am UTC
+    - cron: '0 4 * * *'  # Nightly 4am UTC
   workflow_dispatch:       # Manual trigger
   pull_request:
     branches: [ '*' ]
@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # Full fuzz run (weekly/manual) - 10 minutes
+          # Full fuzz run (nightly/manual) - 10 minutes
           - name: fuzz-full
             fuzz_time: 600
             smoke_only: false
@@ -32,7 +32,7 @@ jobs:
         run: sudo sysctl vm.mmap_rnd_bits=28
 
       - name: Run fuzzer
-        if: ${{ !matrix.smoke_only || github.event_name == 'pull_request' }}
+        if: ${{ (matrix.smoke_only && github.event_name == 'pull_request') || (!matrix.smoke_only && github.event_name != 'pull_request') }}
         run: ./scripts/fuzz.sh ${{ matrix.fuzz_time }}
 
       - name: Upload crash artifacts

.github/workflows/macos-check.yml

@@ -9,33 +9,60 @@ on:
 env:
   WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
 
     runs-on: macos-latest
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@master
+
+    - name: Resolve wolfSSL master SHA
+      id: wolfssl-sha
+      run: |
+        set -e
+        sha=$(git ls-remote https://github.com/wolfssl/wolfssl refs/heads/master | cut -f1)
+        if [ -z "$sha" ]; then echo "ERROR: failed to resolve wolfssl master SHA" >&2; exit 1; fi
+        echo "sha=$sha" >> "$GITHUB_OUTPUT"
+
     - uses: actions/checkout@master
       with:
         repository: wolfssl/wolfssl
         path: wolfssl
+        ref: ${{ steps.wolfssl-sha.outputs.sha }}
     - name: brew
       run: |
         brew install automake libtool mosquitto coreutils
         echo "/usr/local/sbin/" >> $GITHUB_PATH
         echo "/usr/local/opt/mosquitto/sbin/" >> $GITHUB_PATH
 
+    # Cache the wolfSSL install (prefix build-dir) keyed on the live
+    # wolfssl master commit, so it is rebuilt only when master advances.
+    - name: Cache wolfSSL
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: ${{ github.workspace }}/build-dir
+        key: wolfssl-macos-${{ steps.wolfssl-sha.outputs.sha }}-enckeys
+
     - name: wolfssl autogen
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
       run: ./autogen.sh
     - name: wolfssl configure
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
       run: ./configure --enable-enckeys --prefix=$GITHUB_WORKSPACE/build-dir
     - name: wolfssl make
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
       run: make
     - name: wolfssl make install
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
       run: make install