tools: remove openssl v1 update script

PR-URL: https://github.com/nodejs/node/pull/51378 Fixes: https://github.com/nodejs/security-wg/issues/1182 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
2025-12-06 12:20:27 +01:00 · 2024-01-07 10:07:11 +01:00 · 2024-01-07 10:07:11 +01:00 · 5d412a738a
commit 5d412a738a
parent b87360acc2
2 changed files with 14 additions and 117 deletions
--- a/.github/workflows/update-openssl.yml
+++ b/.github/workflows/update-openssl.yml
@ -10,7 +10,7 @@ permissions:
  contents: read

 jobs:
-  openssl-v3-update:
+  openssl-update:
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    steps:
@ -19,7 +19,7 @@ jobs:
          persist-credentials: false
      - name: Check and download new OpenSSL version
        run: |
-          ./tools/dep_updaters/update-openssl.sh download_v3 > temp-output
+          ./tools/dep_updaters/update-openssl.sh download > temp-output
          cat temp-output
          tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
          rm temp-output
@ -58,52 +58,3 @@ jobs:
          branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
          commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
          path: deps/openssl
-  openssl-v1-update:
-    if: github.repository == 'nodejs/node'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
-        with:
-          persist-credentials: false
-          ref: v16.x-staging
-      - name: Check and download new OpenSSL version
-        run: |
-          ./tools/dep_updaters/update-openssl.sh download_v1 > temp-output
-          cat temp-output
-          tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
-          rm temp-output
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-      - name: Create PR with first commit
-        if: env.NEW_VERSION
-        uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329  # v1.9.2
-        # Creates a PR with the new OpenSSL source code committed
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-        with:
-          author: Node.js GitHub Bot <github-bot@iojs.org>
-          body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
-          branch: actions/tools-update-openssl-v1  # Custom branch *just* for this Action.
-          commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
-          labels: dependencies
-          title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}'
-          path: deps/openssl
-          update-pull-request-title-and-body: true
-      - name: Regenerate platform specific files
-        if: env.NEW_VERSION
-        run: |
-          sudo apt install -y nasm libtext-template-perl
-          ./tools/dep_updaters/update-openssl.sh regenerate
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-      - name: Add second commit
-        # Adds a second commit to the PR with the generated platform-dependent files
-        if: env.NEW_VERSION
-        uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329  # v1.9.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-        with:
-          author: Node.js GitHub Bot <github-bot@iojs.org>
-          branch: actions/tools-update-openssl-v1  # Custom branch *just* for this Action.
-          commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
-          path: deps/openssl
--- a/tools/dep_updaters/update-openssl.sh
+++ b/tools/dep_updaters/update-openssl.sh
@ -9,80 +9,26 @@ cleanup() {
  exit $EXIT_CODE
 }

-download_v1() {
-  LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
-const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1');
-if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
-const releases = await res.json()
-const latest = releases.findLast(({ ref }) => ref.includes('quic'));
-if(!latest) throw new Error(`Could not find latest release for v1`);
-console.log(latest.ref.replace('refs/tags/',''));
-EOF
-)"
-
-  NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g')
-
-  case "$NEW_VERSION_V1" in
-    *quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;;
-    *) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;;
-  esac
-
-  VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h"
-  CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1)
-
-  # This function exit with 0 if new version and current version are the same
-  compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION"
-
-  echo "Making temporary workspace..."
-  WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
-  cd "$WORKSPACE"
-
-  echo "Fetching OpenSSL source archive..."
-  OPENSSL_TARBALL="openssl.tar.gz"
-  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME"
-  log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
-  gzip -dc "$OPENSSL_TARBALL" | tar xf -
-  rm "$OPENSSL_TARBALL"
-
-  mv quictls-openssl-* openssl
-
-  echo "Replacing existing OpenSSL..."
-  rm -rf "$DEPS_DIR/openssl/openssl"
-  mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"
-  
-  echo "All done!"
-  echo ""
-  echo "Please git add openssl, and commit the new version:"
-  echo ""
-  echo "$ git add -A deps/openssl/openssl"
-  echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
-  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\""
-  echo ""
-  # The last line of the script should always print the new version,
-  # as we need to add it to $GITHUB_ENV variable.
-  echo "NEW_VERSION=$NEW_VERSION_V1"
-}
-
-download_v3() {
-  LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
+download() {
+  LATEST_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
 const releases = await res.json()
 const latest = releases.findLast(({ ref }) => ref.includes('quic'));
-if(!latest) throw new Error(`Could not find latest release for v3.0`);
+if(!latest) throw new Error(`Could not find latest release`);
 console.log(latest.ref.replace('refs/tags/',''));
 EOF
 )"
-  NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g')
+  NEW_VERSION=$(echo "$LATEST_TAG_NAME" | sed 's/openssl-//;s/-/+/g')

-  case "$NEW_VERSION_V3" in
-    *quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;;
-    *) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;;
+  case "$NEW_VERSION" in
+    *quic1) NEW_VERSION_NO_RELEASE="${NEW_VERSION%1}" ;;
+    *) NEW_VERSION_NO_RELEASE="$NEW_VERSION" ;;
  esac
  VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
  CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
  # This function exit with 0 if new version and current version are the same
-  compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION"
+  compare_dependency_version "openssl" "$NEW_VERSION_NO_RELEASE" "$CURRENT_VERSION"

  echo "Making temporary workspace..."

@ -93,7 +39,7 @@ EOF

  OPENSSL_TARBALL="openssl.tar.gz"

-  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME"
+  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_TAG_NAME"

  log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"

@ -110,11 +56,11 @@ EOF
  echo "Please git add openssl, and commit the new version:"
  echo ""
  echo "$ git add -A deps/openssl/openssl"
-  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\""
+  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION\""
  echo ""
  # The last line of the script should always print the new version,
  # as we need to add it to $GITHUB_ENV variable.
-  echo "NEW_VERSION=$NEW_VERSION_V3"
+  echo "NEW_VERSION=$NEW_VERSION"
 }

 regenerate() {
@ -168,7 +114,7 @@ main() {
  . "$BASE_DIR/tools/dep_updaters/utils.sh"

  case ${1} in
-    help | regenerate | download_v1 | download_v3 )
+    help | regenerate | download )
      $1 "${2}"
    ;;
    * )