Dev news

Commit 1dcde44702 for openssl.org

commit 1dcde44702ceab4c551981525ec94abc1854d8bf
Author: Neil Horman <nhorman@openssl.org>
Date:   Wed Feb 11 15:42:49 2026 -0500

    Add a ci job to validate our suppression file is up to date nightly

    Now that we have a suppression file, lets make sure we keep it up to
    date.  Run a nightly job in CI that runs all our tests under valgrind
    with our current suppression file, and fail if any new errors are
    generated so that we can either address them or add them to the
    suppression file

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    MergeDate: Tue Feb 24 15:11:19 2026
    (Merged from https://github.com/openssl/openssl/pull/30003)

diff --git a/.github/workflows/valgrind-daily.yml b/.github/workflows/valgrind-daily.yml
new file mode 100644
index 0000000000..ac5f7e052e
--- /dev/null
+++ b/.github/workflows/valgrind-daily.yml
@@ -0,0 +1,66 @@
+# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: Test valgrind suppression file
+# Jobs run daily
+
+on:
+  schedule:
+    - cron: '30 02 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+    check-valgrind-suppressions:
+      runs-on: ubuntu-latest
+      steps:
+        - uses: actions/checkout@v6
+          with:
+            persist-credentials: false
+        - name: Install valgrind
+          run: |
+            sudo apt-get -y update
+            sudo apt-get -y install valgrind
+        - name: Get parse suppressions script
+          run: |
+            wget https://raw.githubusercontent.com/coqui-ai/STT/refs/tags/v1.4.0/parse_valgrind_suppressions.sh
+            echo "7414fcb9405f8bd1632442a0b66ffb35457994c6b8b49b2aa91530cf9a7ff645  ./parse_valgrind_suppressions.sh" > ./valgrind_suppressions.sha256
+            sha256sum -c ./valgrind_suppressions.sha256
+            chmod 755 ./parse_valgrind_suppressions.sh
+        - name: Configure
+          run: |
+            ./Configure -DOPENSSL_VALGRIND_TEST
+            ./configdata.pm --dump
+        - name: Make
+          run: |
+            make -j
+        - name: Make test
+          run: |
+            # The quic radix and multistream test times out under valgrind in ci
+            make TESTS="-test_quic_radix -test_quic_multistream" OSSL_USE_VALGRIND=yes test
+        - name: Check for leaks
+          run: |
+            set +e
+            NUM_LOGS=$(find . -name 'valgrind.log.*' | wc -l)
+            echo "Found $NUM_LOGS valgrind logs"
+            if [ $NUM_LOGS == 0 ]; then
+              echo "No logs found!"
+              exit 1
+            fi
+            for i in $(find . -name 'valgrind.log.*'); do
+              ./parse_valgrind_suppressions.sh $i >> ./new_suppressions.txt
+            done
+            NEW_SUPPRESSION_LINES=$(cat ./new_suppressions.txt | wc -l)
+            if [ $NEW_SUPPRESSION_LINES != 0 ]; then
+              echo "New Suppressions Found that need to be addressed!"
+              cat ./new_suppressions.txt
+              exit 1
+            fi
+            echo "No new suppressions found"
+            exit 0