Add mbedtls4 CI coverage

petermm · petermm · commit 5574dabe7f53 · 2026-03-30T19:59:53.000+02:00
Signed-off-by: Peter M &lt;petermm@gmail.com&gt;
diff --git a/.github/workflows/build-and-test-on-freebsd.yaml b/.github/workflows/build-and-test-on-freebsd.yaml
@@ -35,7 +35,7 @@ concurrency:
 jobs:
   build-and-test-on-freebsd:
     runs-on: ubuntu-24.04
-    name: Build and test AtomVM on FreeBSD
+    name: Build and test AtomVM on FreeBSD ${{ matrix.os_release }} (${{ matrix.mbedtls }})
     env:
       ATOMVM_EXAMPLE: "atomvm-example"
 
@@ -44,6 +44,10 @@ jobs:
 
       matrix:
         os_release: ["13.5", "14.3", "15.0"]
+        mbedtls: ["mbedtls@3"]
+        include:
+          - os_release: "14.3"
+            mbedtls: "mbedtls@4"
 
     steps:
 
@@ -60,10 +64,25 @@ jobs:
         sync: rsync
         copyback: false
 
+    - name: "Use latest pkg repo for MbedTLS 4"
+      if: matrix.mbedtls == 'mbedtls@4'
+      shell: freebsd {0}
+      run: |
+        mkdir -p /usr/local/etc/pkg/repos
+        echo 'FreeBSD: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest" }' > /usr/local/etc/pkg/repos/FreeBSD.conf
+        pkg update -f
+
     - name: "Install deps"
+      if: matrix.mbedtls == 'mbedtls@3'
+      shell: freebsd {0}
+      run: |
+        pkg install -y curl cmake gperf erlang elixir rebar3 ninja mbedtls3 socat
+
+    - name: "Install deps (MbedTLS 4)"
+      if: matrix.mbedtls == 'mbedtls@4'
       shell: freebsd {0}
       run: |
-        pkg install -y curl cmake gperf erlang elixir rebar3 mbedtls3 ninja socat
+        pkg install -y curl cmake gperf erlang elixir rebar3 ninja mbedtls4 socat
 
     - name: "Add hostname to /etc/hosts for distribution tests"
       shell: freebsd {0}
@@ -102,6 +121,15 @@ jobs:
         mkdir build
 
     - name: "Build: run cmake"
+      if: matrix.mbedtls == 'mbedtls@3'
+      shell: freebsd {0}
+      run: |
+        cd $GITHUB_WORKSPACE;
+        cd build
+        cmake .. -DAVM_WARNINGS_ARE_ERRORS=ON
+
+    - name: "Build: run cmake (MbedTLS 4)"
+      if: matrix.mbedtls == 'mbedtls@4'
       shell: freebsd {0}
       run: |
         cd $GITHUB_WORKSPACE;
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -59,6 +59,7 @@ jobs:
         # We only test several OTP versions with default compilers for supported OSes (gcc 11, gcc 13, clang 14, clang 18)
         cc: ["gcc-11", "gcc-13", "clang-14", "clang-18"]
         otp: ["26", "27", "28"]
+        mbedtls: ["default"]
 
         include:
         ### gcc
@@ -159,6 +160,12 @@ jobs:
           otp: "master"
           elixir_version: "main"
 
+        # Additional mbedtls@4 coverage with the default Linux toolchain
+        - cc: "cc"
+          cxx: "c++"
+          otp: "28"
+          mbedtls: "mbedtls@4"
+
         # Additional latest & -Os compiler builds
         - cc: "gcc-14"
           cxx: "g++-14"
@@ -540,13 +547,26 @@ jobs:
       run: sudo apt update -y
 
     - name: "Install deps"
-      if: matrix.container != ''
-      run: sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen valgrind libmbedtls-dev socat
+      if: matrix.container != '' && matrix.mbedtls != 'mbedtls@4'
+      run: |
+        sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen valgrind libmbedtls-dev socat
+
+    - name: "Install deps (MbedTLS 4)"
+      if: matrix.container != '' && matrix.mbedtls == 'mbedtls@4'
+      run: |
+        sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen valgrind socat
 
     - name: "Install deps"
-      if: matrix.container == ''
+      if: matrix.container == '' && matrix.mbedtls != 'mbedtls@4'
+      run: |
+        sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen libc6-dbg libmbedtls-dev socat
+        # Get a more recent valgrind
+        sudo snap install valgrind --classic
+
+    - name: "Install deps (MbedTLS 4)"
+      if: matrix.container == '' && matrix.mbedtls == 'mbedtls@4'
       run: |
-        sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen libmbedtls-dev libc6-dbg socat
+        sudo apt install -y ${{ matrix.compiler_pkgs}} cmake gperf zlib1g-dev doxygen libc6-dbg socat
         # Get a more recent valgrind
         sudo snap install valgrind --classic
 
@@ -582,6 +602,19 @@ jobs:
           https://repo.hex.pm
           https://cdn.jsdelivr.net/hex
 
+    - name: "Install specific MbedTLS version"
+      if: matrix.mbedtls == 'mbedtls@4'
+      run: |
+        git clone --depth 1 --branch mbedtls-4.0.0 --recurse-submodules https://github.com/Mbed-TLS/mbedtls
+        cd mbedtls
+        mkdir build
+        cd build
+        cmake -DENABLE_TESTING=OFF -DUSE_SHARED_MBEDTLS_LIBRARY=On -DCMAKE_INSTALL_PREFIX=/usr/local ..
+        make -j$(nproc)
+        sudo make install
+        sudo ldconfig
+        echo "MBEDTLS_ROOT_DIR=/usr/local" >> $GITHUB_ENV
+
     # Builder info
     - name: "System info"
       run: |
@@ -619,13 +652,23 @@ jobs:
         key: ${{ matrix.otp || env.DEFAULT_OTP_VERSION }}-${{ hashFiles('**/build-and-test.yaml', 'tests/**/*.erl', 'tests/**/*.hrl', 'tests/**/*.ex') }}-${{ matrix.jit_target_arch || 'nojit' }}-${{ contains(matrix.cmake_opts_other, 'AVM_DISABLE_JIT_DWARF=OFF') && 'dwarf' || 'nodwarf' }}
 
     - name: "Build: run cmake"
+      if: matrix.mbedtls != 'mbedtls@4'
       working-directory: build
       run: |
         cmake ${{ matrix.cmake_opts_fp }} ${{ matrix.cmake_opts_smp }} ${{ matrix.cmake_opts_other || env.DEFAULT_CMAKE_OPTS_OTHER }} ..
         # git clone will use more recent timestamps than cached beam files
         # touch them so we can benefit from the cache and avoid costly beam file rebuild.
         find . -name '*.beam' -exec touch {} \;
 
+    - name: "Build: run cmake (MbedTLS 4)"
+      if: matrix.mbedtls == 'mbedtls@4'
+      working-directory: build
+      run: |
+        cmake -DMBEDTLS_ROOT_DIR=/usr/local ${{ matrix.cmake_opts_fp }} ${{ matrix.cmake_opts_smp }} ${{ matrix.cmake_opts_other || env.DEFAULT_CMAKE_OPTS_OTHER }} ..
+        # git clone will use more recent timestamps than cached beam files
+        # touch them so we can benefit from the cache and avoid costly beam file rebuild.
+        find . -name '*.beam' -exec touch {} \;
+
     - name: "Build: run make"
       working-directory: build
       run: make -j3
