tools: migrate from openssl-matrix.json to openssl-matrix.nix

Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs#63036
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Author: aduh95

.github/workflows/test-shared.yml

@@ -172,6 +172,7 @@ jobs:
     name: 'aarch64-linux: Cache V8 build'
     outputs:
       local-cache: ${{ steps.upload.outcome != 'skipped' && 'true' || '' }}
+      matrix: ${{ steps.query.outputs.matrix }}
     steps:
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
@@ -227,25 +228,17 @@ jobs:
           name: libv8
           path: libv8
 
-  # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json.
-  # Output shape:
-  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
-  collect-openssl-versions:
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-slim
-    outputs:
-      matrix: ${{ steps.query.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-          sparse-checkout: tools/nix/openssl-matrix.json
-          sparse-checkout-cone-mode: false
-      - id: query
+      - name: Collect matrix of support OpenSSL versions
+        id: query
         run: |
           {
             echo 'matrix<<EOF'
-            cat tools/nix/openssl-matrix.json
+            nix-instantiate --eval --strict --json -E "
+              let
+                matrix = import $TAR_DIR/tools/nix/openssl-matrix.nix {};
+              in
+              builtins.map (attr: { inherit attr; inherit (builtins.getAttr attr matrix) name; }) (builtins.attrNames matrix)
+            "
             echo 'EOF'
           } >> "$GITHUB_OUTPUT"
 
@@ -255,19 +248,16 @@ jobs:
   # entry, while all other shared libs remain at their defaults. Only runs on
   # a single runner/system (aarch64-linux) to keep the matrix to a minimum.
   build-openssl:
-    needs:
-      - build-aarch64-linux-v8
-      - collect-openssl-versions
+    needs: build-aarch64-linux-v8
     strategy:
       fail-fast: false
       matrix:
-        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
-    name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
+        openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }}
+    name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}'
     runs-on: ubuntu-24.04-arm
-    continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
+    continue-on-error: false
     env:
       OPENSSL_ATTR: ${{ matrix.openssl.attr }}
-      OPENSSL_VERSION: ${{ matrix.openssl.version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -293,5 +283,5 @@ jobs:
           extra-nix-flags: |
             --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8)"' || 'true' }} \
             --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
-                openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR;
+                openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR;
               }" \

tools/dep_updaters/update-nixpkgs-pin.sh

@@ -5,7 +5,7 @@ set -ex
 
 BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 NIXPKGS_PIN_FILE="$BASE_DIR/tools/nix/pkgs.nix"
-OPENSSL_MATRIX_FILE="$BASE_DIR/tools/nix/openssl-matrix.json"
+OPENSSL_MATRIX_FILE="$BASE_DIR/tools/nix/openssl-matrix.nix"
 
 NIXPKGS_REPO=$(grep 'repo =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
 CURRENT_VERSION_SHA1=$(grep 'rev =' "$NIXPKGS_PIN_FILE" | awk -F'"' '{ print $2 }')
@@ -26,7 +26,37 @@ TMP_FILE=$(mktemp)
 sed "s/$CURRENT_VERSION_SHA1/$NEW_UPSTREAM_SHA1/;s/$CURRENT_TARBALL_HASH/$NEW_TARBALL_HASH/" "$NIXPKGS_PIN_FILE" > "$TMP_FILE"
 mv "$TMP_FILE" "$NIXPKGS_PIN_FILE"
 
-"$BASE_DIR/tools/nix/collect-openssl-matrix.sh" | jq . > "$OPENSSL_MATRIX_FILE"
+nix-instantiate -I "nixpkgs=$NIXPKGS_PIN_FILE" --eval --strict --json -E "
+  let
+    pkgs = import <nixpkgs> {};
+    attrs = builtins.filter
+      (n:
+        let t = builtins.tryEval pkgs.\${n}; in
+        t.success && (builtins.tryEval t.value.version).success
+      )
+      (
+        builtins.filter
+          (n: builtins.match \"openssl_[0-9]+(_[0-9]+)?\" n != null)
+          (builtins.attrNames pkgs)
+      );
+  in
+  {
+    inherit attrs;
+    permittedInsecurePackages = builtins.map (attr: pkgs.\${attr}.name) (
+      builtins.filter (attr: (pkgs.\${attr}.meta.insecure)) attrs
+    );
+  }
+" | jq -r '"{
+  pkgs ? import ./pkgs.nix {
+    config.permittedInsecurePackages = [ \(.permittedInsecurePackages | map(@json) | join(" ")) ];
+  },
+}:
+
+{
+  inherit (pkgs)
+    \(.attrs | join("\n    "))
+    ;
+}"' > "$OPENSSL_MATRIX_FILE"
 
 cat -<<EOF
 All done!

tools/nix/collect-openssl-matrix.sh

@@ -0,0 +1,15 @@
+{
+  pkgs ? import ./pkgs.nix {
+    config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+  },
+}:
+
+{
+  inherit (pkgs)
+    openssl_1_1
+    openssl_3
+    openssl_3_5
+    openssl_3_6
+    openssl_4_0
+    ;
+}

tools/nix/openssl-matrix.json

@@ -48,7 +48,7 @@
   ffi = pkgs.libffiReal;
 })
 // (pkgs.lib.optionalAttrs withSSL ({
-  openssl = pkgs.openssl_3_5;
+  openssl = (import ./openssl-matrix.nix { inherit pkgs; }).openssl_3_5;
 }))
 // (pkgs.lib.optionalAttrs withTemporal {
   inherit (pkgs) temporal_capi;