-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[macOS] OpenSSL 1.1 will be removed and OpenSSL 3 will be the default for all macOS images once [date not determined] #10817
Comments
This means currently some runs on macos-14 have [email protected] and some don't: This is quite problematic because if something is built on macos-14 on a run with [email protected] (and the software links to that) it can fail when that's later used in another run as [email protected] Basically, anything that ever linked to [email protected] on macos-* will be broken by this change (until it's recompiled against openssl@3). |
* Should help when 1.1 is removed like in actions/runner-images#10817 * 1.1 is EOL
Is there a way to configure our build so we only run on the |
We worked around it with |
Could this change be breaking |
In this test run https://github.com/Chia-Network/chia-blockchain/actions/runs/11745259139?pr=18844 with 30x each of macOS ARM/Intel and Python version 3.9/3.10/3.11/3.12, only 3.10 on Intel failed. The passing jobs were run on either 20241008.186 or 20241023.237. The failing jobs were on 20241107.313. |
I think we might be seeing a combination of both #10817 and #10812. In your test run, Python 3.10 was found in the cache on macOS ARM64, so it passes. But if you land on an agent without Python 3.10 in the cache, it will try to download and install, but fails with the SSL error. |
I'm facing the same problem and if rollout to [email protected] all the
security import ***/MSALCPPAppleBuildCertificate_fgh.p12 -P *** -A -t cert -f pkcs12 -k ***/ios_signing_temp.keychain which requires the MSALCPPAppleBuildCertificate_fgh.p12 signed by [email protected] |
Hi All, We are currently reverting the change and keeping OpenSSL 1.1 in our images. It will be the default version for now. |
@sarathrajsrinivasan Why was this reverted? After having spent time adjusting our flows to make it work with v3, we now need to undo that work, causing more disruption. This is likely the case for many others. |
@dalemyers There is no need to undo that work, openssl@3 is available before & after that change. |
It is, but it's not the default, and various tasks expect one version or the other, so they need to be adjusted. Anything we control calling |
We are still facing this issues and we are really stuck, is the fix/revert going to be applied soon? thanks |
Are you seeing v1.1.1 or v3 right now? We've been running ours with both versions of the task that's having an issue and using |
Is it not possible to skip the task (not needed) based on the agent macOS version check? |
I have just tried on using both and both failed. I added "continueOnError" and legacy, This is just mad now - what are we going to do? Can someone post a full workaround if any? We cannot deploy an app to prod because of this
|
It's currently potluck if you get a runner image that actually works. 20241022.244 works while 20241106.316 fails. I just have to keep running the build until it eventually gets the older image and completes. It's absolutely ridiculous. |
I'm seeing both |
@d-philipson yes I 100% concur this is ridiculous |
For the near future, the issue is removed from the agenda due to the unpreparedness of some critical services for this change. We will notify you of planned changes when exact dates are set. |
I am going to close this item till the best time. It will be raised again once later. |
OpenSSL 1.1 is deprecated in favor of 3.0: actions/runner-images#10817 `rzup` was being dynamically linked against OpenSSL 1.1 on our runners, causing compatibility issues on systems with different OpenSSL versions. This switches `reqwest` feature to use `native-tls-vendored` for static linking, rather than dynamically linked `rustls-tls`.
Breaking changes
OpenSSL 1.1 will be removed from all macOS images and the default version will be switched to OpenSSL 3.
Target date
The motivation for the changes
OpenSSL 1.1 has reached its end-of-life (EOL) and is no longer supported. Due to its deprecation, Homebrew has removed it from its available packages.
Possible impact
If your library/project is not compatible with OpenSSL 3 and you build them based on default OpenSSL version - your workflow will be broken.
Platforms affected
Runner images affected
Mitigation ways
Use the below step in your workflow to download and install OpenSSL 1.1 manually
The text was updated successfully, but these errors were encountered: