Share test setup steps to manage divergence

MatthiasValvekens · MatthiasValvekens · commit e6570a5e3548 · 2025-07-20T15:04:35.000+09:00
diff --git a/.github/actions/test-setup/action.yml b/.github/actions/test-setup/action.yml
@@ -0,0 +1,76 @@
+name: test-setup
+author: Matthias Valvekens
+description: Perform set-up for python-pkcs11 CI
+inputs:
+  os:
+    description: OS to target
+    required: true
+  python-version:
+    description: Python version to target
+    required: true
+  dependency-group:
+    description: UV dependency group to install
+    required: true
+  pkcs11-platform:
+    description: PKCS#11 platform to target
+    required: true
+  token-label:
+    description: Label assigned to the token
+    required: true
+  token-user-pin:
+    description: User PIN to configure on the token
+    required: true
+  token-so-pin:
+    description: Security officer PIN to configure on the token
+    required: true
+outputs:
+  module:
+    description: Path to PKCS#11 module
+    value: ${{ steps.install-result.outputs.module }}
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+    - uses: ./.github/actions/install-softhsm
+      if: inputs.pkcs11-platform == 'softhsm'
+      id: softhsm
+      with:
+        os: ${{ inputs.os }}
+        token-label: ${{ inputs.token-label }}
+        token-so-pin: ${{ inputs.token-so-pin }}
+        token-user-pin: ${{ inputs.token-user-pin }}
+    - uses: ./.github/actions/install-opencryptoki
+      # only run opencryptoki tests on ubuntu
+      # (macos and windows don't seem to be supported)
+      if: inputs.pkcs11-platform == 'opencryptoki'
+      id: opencryptoki
+      with:
+        os: ${{ inputs.os }}
+        token-label: ${{ inputs.token-label }}
+        token-so-pin: ${{ inputs.token-so-pin }}
+        token-user-pin: ${{ inputs.token-user-pin }}
+    - name: Set module path
+      id: install-result
+      shell: bash
+      run: |
+        if [[ "$PLATFORM" == 'opencryptoki' ]]; then
+          echo "module=${{ steps.opencryptoki.outputs.module }}" >> "$GITHUB_OUTPUT"
+        elif [[ "$PLATFORM" == 'softhsm' ]]; then
+          echo "module=${{ steps.softhsm.outputs.module }}" >> "$GITHUB_OUTPUT"
+        else
+          echo "$PLATFORM is not a valid PKCS#11 platform choice"
+          exit 1
+        fi
+      env:
+        PLATFORM: ${{ inputs.pkcs11-platform }}
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
+      with:
+        enable-cache: true
+        python-version: ${{ inputs.python-version }}
+    - name: Install testing dependencies
+      shell: bash
+      run: uv sync --no-dev --exact --group "${{ inputs.dependency-group }}"
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -14,6 +14,11 @@ jobs:
   # seems to lead to segfaults in Python 3.13 -> TODO: investigate
   pytest-coverage:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        pkcs11-platform:
+          - softhsm
+          - opencryptoki
     steps:
       - name: Acquire sources
         uses: actions/checkout@v4
@@ -23,50 +28,27 @@ jobs:
         # Doing it here is still better than introducing a non-declarative setup.py into the
         # build again.
         run: sed -i 's/#coverage#cython/#cython/g' pkcs11/*.pyx
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.12
-      - uses: ./.github/actions/install-softhsm
-        id: softhsm
-        with:
-          os: ubuntu-latest
-          token-label: ${{ env.PKCS11_TOKEN_LABEL }}
-          token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
-          token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
-      - uses: ./.github/actions/install-opencryptoki
-        # only run opencryptoki tests on ubuntu
-        # (macos and windows don't seem to be supported)
-        id: opencryptoki
+      - uses: ./.github/actions/test-setup
+        id: setup
         with:
           os: ubuntu-latest
+          python-version: "3.12"
+          dependency-group: coverage
           token-label: ${{ env.PKCS11_TOKEN_LABEL }}
           token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
           token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v4
-        with:
-          enable-cache: true
-          python-version: 3.12
-      - name: Install testing dependencies
-        run: uv sync --no-dev --exact --group coverage
+          pkcs11-platform: ${{ matrix.pkcs11-platform }}
         env:
           CFLAGS: "-DCYTHON_TRACE_NOGIL=1"
           EXT_BUILD_DEBUG: "1"
-      - name: Run tests with SoftHSM
-        run: uv run pytest -v --cov=pkcs11 --cov-branch --cov-report=xml:python-softhsm-coverage.xml
-        env:
-          PKCS11_MODULE: ${{ steps.softhsm.outputs.module }}
-      - name: Run tests with opencryptoki
-        run: uv run pytest -v --cov=pkcs11 --cov-branch --cov-report=xml:python-opencryptoki-coverage.xml
+      - name: Run tests
+        run: uv run pytest -v --cov=pkcs11 --cov-branch --cov-report=xml:${{ matrix.pkcs11-platform }}-coverage.xml
         env:
-          PKCS11_MODULE: ${{ steps.opencryptoki.outputs.module }}
-          # For testing logic around swapping PKCS#11 libs
-          PKCS11_MODULE2: ${{ steps.softhsm.outputs.module }}
+          PKCS11_MODULE: ${{ steps.setup.outputs.module }}
       - name: Stash coverage report
         uses: actions/upload-artifact@v4
         with:
-          name: coverage
+          name: coverage-${{ strategy.job-index }}
           path: "*-coverage.xml"
   codecov-upload:
     permissions:
@@ -80,7 +62,7 @@ jobs:
       - name: Retrieve coverage reports
         uses: actions/download-artifact@v4
         with:
-          name: coverage
+          pattern: coverage-*
           path: ./reports/
       - name: Upload all coverage reports to Codecov
         uses: codecov/codecov-action@v5
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -27,46 +27,30 @@ jobs:
           - "3.11"
           - "3.12"
           - "3.13"
+        pkcs11-platform:
+          - softhsm
+          - opencryptoki
+        exclude:
+          # only run opencryptoki tests on ubuntu
+          # (macos and windows don't seem to be supported)
+          - pkcs11-platform: opencryptoki
+            os: windows-latest
+          - pkcs11-platform: opencryptoki
+            os: macos-latest
     steps:
       - name: Acquire sources
         uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-      - uses: ./.github/actions/install-softhsm
-        id: softhsm
-        with:
-          os: ${{ matrix.os }}
-          token-label: ${{ env.PKCS11_TOKEN_LABEL }}
-          token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
-          token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
-      - uses: ./.github/actions/install-opencryptoki
-        # only run opencryptoki tests on ubuntu
-        # (macos and windows don't seem to be supported)
-        if: matrix.os == 'ubuntu-latest'
-        id: opencryptoki
+      - uses: ./.github/actions/test-setup
+        id: setup
         with:
           os: ${{ matrix.os }}
           token-label: ${{ env.PKCS11_TOKEN_LABEL }}
           token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
           token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v4
-        with:
-          enable-cache: true
           python-version: ${{ matrix.python-version }}
-      - name: Install testing dependencies
-        run: uv sync --no-dev --exact --group testing
-      - name: Run tests with SoftHSM
-        run: uv run pytest -v
-        env:
-          PKCS11_MODULE: ${{ steps.softhsm.outputs.module }}
-      - name: Run tests with opencryptoki
-        if: matrix.os == 'ubuntu-latest'
+          pkcs11-platform: ${{ matrix.pkcs11-platform }}
+          dependency-group: testing
+      - name: Run tests
         run: uv run pytest -v
         env:
-          PKCS11_MODULE: ${{ steps.opencryptoki.outputs.module }}
-          # For testing logic around swapping PKCS#11 libs
-          PKCS11_MODULE2: ${{ steps.softhsm.outputs.module }}
+          PKCS11_MODULE: ${{ steps.setup.outputs.module }}
diff --git a/tests/test_multilib.py b/tests/test_multilib.py
@@ -0,0 +1,26 @@
+"""
+PKCS#11 Slots and Tokens
+"""
+
+import os
+import unittest
+
+import pkcs11
+
+from . import LIB
+
+
+@unittest.skipUnless("PKCS11_MODULE2" in os.environ, "Requires an additional PKCS#11 module")
+class MultilibTests(unittest.TestCase):
+    def test_double_initialise_different_libs(self):
+        lib1 = pkcs11.lib(LIB)
+        lib2 = pkcs11.lib(os.environ["PKCS11_MODULE2"])
+        self.assertIsNotNone(lib1)
+        self.assertIsNotNone(lib2)
+        self.assertIsNot(lib1, lib2)
+
+        slots1 = lib1.get_slots()
+        slots2 = lib2.get_slots()
+
+        self.assertGreaterEqual(len(slots1), 1)
+        self.assertGreaterEqual(len(slots2), 1)
diff --git a/tests/test_slots_and_tokens.py b/tests/test_slots_and_tokens.py
@@ -2,7 +2,6 @@
 PKCS#11 Slots and Tokens
 """
 
-import os
 import unittest
 
 import pkcs11
@@ -23,20 +22,6 @@ def test_nonexistent_lib(self):
         with self.assertRaises(RuntimeError):
             pkcs11.lib("thislibdoesntexist.so")
 
-    @unittest.skipUnless("PKCS11_MODULE2" in os.environ, "Requires an additional PKCS#11 module")
-    def test_double_initialise_different_libs(self):
-        lib1 = pkcs11.lib(LIB)
-        lib2 = pkcs11.lib(os.environ["PKCS11_MODULE2"])
-        self.assertIsNotNone(lib1)
-        self.assertIsNotNone(lib2)
-        self.assertIsNot(lib1, lib2)
-
-        slots1 = lib1.get_slots()
-        slots2 = lib2.get_slots()
-
-        self.assertGreaterEqual(len(slots1), 1)
-        self.assertGreaterEqual(len(slots2), 1)
-
     def test_double_initialise_nonexistent_lib(self):
         self.assertIsNotNone(pkcs11.lib(LIB))
         with self.assertRaises(RuntimeError):
