Skip to content

Bump cryptography from 41.0.2 to 41.0.3 in /.github/requirements #609

Bump cryptography from 41.0.2 to 41.0.3 in /.github/requirements

Bump cryptography from 41.0.2 to 41.0.3 in /.github/requirements #609

Workflow file for this run

name: Wheel Builder
permissions:
contents: read
on:
workflow_dispatch:
inputs:
version:
description: The version to build
# Do not add any non-tag push events without updating pypi-publish.yml. If
# you do, it'll upload wheels to PyPI.
push:
tags:
- '*.*'
- '*.*.*'
pull_request:
paths:
- .github/workflows/wheel-builder.yml
- .github/requirements/**
- setup.py
- pyproject.toml
- vectors/pyproject.toml
env:
BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt
jobs:
sdist:
runs-on: ubuntu-latest
name: sdists
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
- run: python -m venv .venv
- name: Install Python dependencies
run: .venv/bin/pip install -U pip build
- name: Make sdist (cryptography)
run: .venv/bin/python -m build --sdist
- name: Make sdist and wheel (vectors)
run: cd vectors/ && ../.venv/bin/python -m build
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "cryptography-sdist"
path: dist/cryptography*
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "vectors-sdist-wheel"
path: vectors/dist/cryptography*
manylinux:
needs: [sdist]
runs-on: ${{ matrix.MANYLINUX.RUNNER }}
container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }}
strategy:
fail-fast: false
matrix:
PYTHON:
- { VERSION: "cp37-cp37m", ABI_VERSION: 'cp37' }
- { VERSION: "pp39-pypy39_pp73" }
- { VERSION: "pp310-pypy310_pp73" }
MANYLINUX:
- { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" }
- { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] }
- { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
exclude:
# There are no readily available musllinux PyPy distributions
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]}
# We also don't build pypy wheels for anything except the latest manylinux
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp39-pypy39_pp73" }
MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- PYTHON: { VERSION: "pp310-pypy310_pp73" }
MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}"
steps:
- name: Ridiculous alpine workaround for actions support on arm64
run: |
# This modifies /etc/os-release so the JS actions
# from GH can't detect that it's on alpine:aarch64. It will
# then use a glibc nodejs, which works fine when gcompat
# is installed in the container (which it is)
sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64')
- name: Get build-requirements.txt from repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
sparse-checkout: |
${{ env.BUILD_REQUIREMENTS_PATH }}
sparse-checkout-cone-mode: false
- run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv
- name: Install Python dependencies
run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: cryptography-sdist
- run: mkdir tmpwheelhouse
- name: Build the wheel
run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
OPENSSL_DIR="/opt/pyca/cryptography/openssl" \
OPENSSL_STATIC=1 \
.venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse
env:
RUSTUP_HOME: /root/.rustup
- run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/
- run: unzip wheelhouse/*.whl -d execstack.check
- run: |
results=$(readelf -lW execstack.check/cryptography/hazmat/bindings/*.so)
count=$(echo "$results" | grep -c 'GNU_STACK.*[R ][W ]E' || true)
if [ "$count" -ne 0 ]; then
exit 1
else
exit 0
fi
- run: .venv/bin/pip install cryptography --no-index -f wheelhouse/
- run: |
.venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
- run: mkdir cryptography-wheelhouse
- run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}"
path: cryptography-wheelhouse/
macos:
needs: [sdist]
runs-on: macos-13
strategy:
fail-fast: false
matrix:
PYTHON:
- VERSION: '3.11'
ABI_VERSION: 'cp37'
# Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg'
BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
DEPLOYMENT_TARGET: '10.12'
# This archflags is default, but let's be explicit
ARCHFLAGS: '-arch x86_64 -arch arm64'
# See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269
# This will change in the future as we change the base Python we
# build against
_PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2'
- VERSION: '3.11'
ABI_VERSION: 'cp37'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg'
BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
DEPLOYMENT_TARGET: '10.12'
# We continue to build a non-universal2 for a bit to see metrics on
# download counts (this is a proxy for pip version since universal2
# requires a 21.x pip)
ARCHFLAGS: '-arch x86_64'
_PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64'
- VERSION: 'pypy-3.9'
BIN_PATH: 'pypy3'
DEPLOYMENT_TARGET: '10.12'
_PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64'
ARCHFLAGS: '-arch x86_64'
- VERSION: 'pypy-3.10'
BIN_PATH: 'pypy3'
DEPLOYMENT_TARGET: '10.12'
_PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64'
ARCHFLAGS: '-arch x86_64'
name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}"
steps:
- name: Get build-requirements.txt from repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
sparse-checkout: |
${{ env.BUILD_REQUIREMENTS_PATH }}
sparse-checkout-cone-mode: false
- name: Setup python
run: |
curl "$PYTHON_DOWNLOAD_URL" -o python.pkg
sudo installer -pkg python.pkg -target /
env:
PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }}
if: contains(matrix.PYTHON.VERSION, 'pypy') == false
- name: Setup pypy
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
if: contains(matrix.PYTHON.VERSION, 'pypy')
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0
with:
repo: pyca/infra
workflow: build-macos-openssl.yml
branch: main
workflow_conclusion: success
name: openssl-macos-universal2
path: "../openssl-macos-universal2/"
github_token: ${{ secrets.GITHUB_TOKEN }}
- uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e
with:
toolchain: stable
# Add the arm64 target in addition to the native arch (x86_64)
target: aarch64-apple-darwin
- run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv
- name: Install Python dependencies
run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: cryptography-sdist
- run: mkdir wheelhouse
- name: Build the wheel
run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \
OPENSSL_STATIC=1 \
venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse
env:
MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }}
ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }}
_PYTHON_HOST_PLATFORM: ${{ matrix.PYTHON._PYTHON_HOST_PLATFORM }}
- run: venv/bin/pip install -f wheelhouse/ --no-index cryptography
- name: Show the wheel's minimum macOS SDK and architectures
run: |
find venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \;
- run: |
venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
- run: mkdir cryptography-wheelhouse
- run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
- run: |
echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}"
path: cryptography-wheelhouse/
windows:
needs: [sdist]
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
WINDOWS:
- {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'}
- {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'}
PYTHON:
- {VERSION: "3.11", "ABI_VERSION": "cp37"}
- {VERSION: "pypy-3.9"}
- {VERSION: "pypy-3.10"}
exclude:
# We need to exclude the below configuration because there is no 32-bit pypy3
- WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'}
PYTHON: {VERSION: "pypy-3.9"}
- WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'}
PYTHON: {VERSION: "pypy-3.10"}
name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}"
steps:
- name: Get build-requirements.txt from repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
sparse-checkout: |
${{ env.BUILD_REQUIREMENTS_PATH }}
sparse-checkout-cone-mode: false
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: cryptography-sdist
- name: Setup python
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
architecture: ${{ matrix.WINDOWS.ARCH }}
- uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e
with:
toolchain: stable
target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0
with:
repo: pyca/infra
workflow: build-windows-openssl.yml
branch: main
workflow_conclusion: success
name: "openssl-${{ matrix.WINDOWS.WINDOWS }}"
path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/"
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure OpenSSL
run: |
echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV
echo "OPENSSL_STATIC=1" >> $GITHUB_ENV
shell: bash
- name: Install Python dependencies
run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
- run: mkdir wheelhouse
- run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
python -m pip wheel -v cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/
shell: bash
- run: pip install -f wheelhouse --no-index cryptography
- name: Print the OpenSSL we built and linked against
run: |
python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
- run: mkdir cryptography-wheelhouse
- run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}"
path: cryptography-wheelhouse\