From e1020f8ab6b1cc47452a62503daa3a5ecb1124eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Vo=C5=99=C3=AD=C5=A1ek?= Date: Sat, 14 Mar 2026 15:05:02 +0100 Subject: [PATCH] Verify BLAKE3 bundled files using CI --- .../scripts/download-bundled/blake3.h.patch | 20 ++++++++++ .github/scripts/download-bundled/blake3.sh | 37 +++++++++++++++++++ .github/workflows/verify-bundled-files.yml | 13 +++++++ 3 files changed, 70 insertions(+) create mode 100644 .github/scripts/download-bundled/blake3.h.patch create mode 100755 .github/scripts/download-bundled/blake3.sh diff --git a/.github/scripts/download-bundled/blake3.h.patch b/.github/scripts/download-bundled/blake3.h.patch new file mode 100644 index 0000000000000..dc1cbc0389269 --- /dev/null +++ b/.github/scripts/download-bundled/blake3.h.patch @@ -0,0 +1,20 @@ +diff --git a/ext/hash/blake3/upstream_blake3/c/blake3.h b/ext/hash/blake3/upstream_blake3/c/blake3.h +index 35f2bb9..59f68a7 100644 +--- a/ext/hash/blake3/upstream_blake3/c/blake3.h ++++ b/ext/hash/blake3/upstream_blake3/c/blake3.h +@@ -44,6 +44,7 @@ typedef struct { + uint64_t chunk_counter; + uint8_t buf[BLAKE3_BLOCK_LEN]; + uint8_t buf_len; ++ uint8_t padding_1[5]; + uint8_t blocks_compressed; + uint8_t flags; + } blake3_chunk_state; +@@ -58,6 +59,7 @@ typedef struct { + // don't know whether more input is coming. This is different from how the + // reference implementation does things. + uint8_t cv_stack[(BLAKE3_MAX_DEPTH + 1) * BLAKE3_OUT_LEN]; ++ uint8_t padding_2[7]; + } blake3_hasher; + + BLAKE3_API const char *blake3_version(void); diff --git a/.github/scripts/download-bundled/blake3.sh b/.github/scripts/download-bundled/blake3.sh new file mode 100755 index 0000000000000..e2eb0140b7694 --- /dev/null +++ b/.github/scripts/download-bundled/blake3.sh @@ -0,0 +1,37 @@ +#!/bin/sh +set -ex +cd "$(dirname "$0")/../../.." + +tmp_dir=/tmp/php-src-download-bundled/blake3 +rm -rf "$tmp_dir" + +revision=refs/tags/1.8.3 + +git clone --depth 1 --revision="$revision" https://github.com/BLAKE3-team/BLAKE3.git "$tmp_dir" + +rm -rf ext/hash/blake3/upstream_blake3 +mkdir ext/hash/blake3/upstream_blake3 +cp -R "$tmp_dir"/c ext/hash/blake3/upstream_blake3 +cp "$tmp_dir"/LICENSE_CC0 ext/hash/blake3/upstream_blake3 + +cd ext/hash/blake3/upstream_blake3 + +# remove unneeded files +rm -R c/blake3_c_rust_bindings +rm -R c/cmake +rm -R c/dependencies +rm c/.gitignore +rm c/blake3_tbb.cpp +rm c/blake3-config.cmake.in +rm c/CMakeLists.txt +rm c/CMakePresets.json +rm c/example.c +rm c/example_tbb.c +rm c/libblake3.pc.in +rm c/main.c +rm c/Makefile.testing +rm c/README.md +rm c/test.py + +# patch customized files +git apply -v ../../../../.github/scripts/download-bundled/blake3.h.patch diff --git a/.github/workflows/verify-bundled-files.yml b/.github/workflows/verify-bundled-files.yml index 473d6e2d8f4df..c4d73854c0d56 100644 --- a/.github/workflows/verify-bundled-files.yml +++ b/.github/workflows/verify-bundled-files.yml @@ -5,6 +5,7 @@ on: paths: &paths - '.github/scripts/download-bundled/**' - 'Zend/asm/**' + - 'ext/hash/blake3/upstream_blake3/**' - 'ext/pcre/pcre2lib/**' - 'ext/uri/uriparser/**' pull_request: @@ -34,6 +35,9 @@ jobs: 'boost-context': - '.github/scripts/download-bundled/boost-context.*' - 'Zend/asm/**' + blake3: + - '.github/scripts/download-bundled/blake3.*' + - 'ext/hash/blake3/upstream_blake3/**' pcre2: - '.github/scripts/download-bundled/pcre2.*' - 'ext/pcre/pcre2lib/**' @@ -50,6 +54,15 @@ jobs: echo "::group::Verify files" .github/scripts/test-directory-unchanged.sh Zend/asm echo "::endgroup::" + - name: BLAKE3 + if: ${{ !cancelled() && (steps.changes.outputs.blake3 == 'true' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }} + run: | + echo "::group::Download" + .github/scripts/download-bundled/blake3.sh + echo "::endgroup::" + echo "::group::Verify files" + .github/scripts/test-directory-unchanged.sh 'ext/hash/blake3/upstream_blake3' + echo "::endgroup::" - name: PCRE2 if: ${{ !cancelled() && (steps.changes.outputs.pcre2 == 'true' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }} run: |