wolfSSL · aidangarske · May 23, 2026
diff --git a/.github/actions/wait-for-smoke/action.yml b/.github/actions/wait-for-smoke/action.yml
@@ -0,0 +1,95 @@
+name: 'Wait for Smoke Test'
+description: 'Polls the Smoke Test workflow for the current commit and fails if it failed.'
+
+# Designed to be the leading job in pull_request-triggered workflows so that
+# expensive integration CI does not run unless the smoke build passes.
+#
+# Push events bypass the wait entirely (we still get smoke results for those
+# pushes, but other CI is not gated on push). For drafts, callers should
+# skip dependent jobs via `if: github.event.pull_request.draft == false` -
+# this action will still pass through if smoke is skipped or absent.
+
+inputs:
+  workflow:
+    description: 'Name of the smoke workflow file to wait on'
+    required: false
+    default: 'smoke-test.yml'
+  timeout-seconds:
+    description: 'Maximum time to wait for smoke to complete'
+    required: false
+    default: '1800'
+  poll-seconds:
+    description: 'Polling interval'
+    required: false
+    default: '20'
+  github-token:
+    description: 'GITHUB_TOKEN with actions:read permission'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Wait for smoke
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        SMOKE_WORKFLOW: ${{ inputs.workflow }}
+        TIMEOUT: ${{ inputs.timeout-seconds }}
+        POLL: ${{ inputs.poll-seconds }}
+        REPO: ${{ github.repository }}
+      run: |
+        set -u
+        # Only gate pull_request events. Push events are not gated.
+        if [ "${{ github.event_name }}" != "pull_request" ]; then
+          echo "Not a pull_request event - skipping smoke gate."
+          exit 0
+        fi
+
+        HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+        echo "Waiting for $SMOKE_WORKFLOW on $HEAD_SHA (timeout ${TIMEOUT}s)"
+
+        START=$(date +%s)
+        while :; do
+          NOW=$(date +%s)
+          ELAPSED=$((NOW - START))
+          if [ "$ELAPSED" -ge "$TIMEOUT" ]; then
+            echo "::error::Timed out after ${TIMEOUT}s waiting for $SMOKE_WORKFLOW on $HEAD_SHA"
+            exit 1
+          fi
+
+          # Look up the latest run for this workflow + head SHA.
+          RUN_JSON=$(gh api \
+            "repos/${REPO}/actions/workflows/${SMOKE_WORKFLOW}/runs?head_sha=${HEAD_SHA}&per_page=1" \
+            2>/dev/null || echo '{}')
+
+          STATUS=$(echo "$RUN_JSON"     | jq -r '.workflow_runs[0].status     // "missing"')
+          CONCLUSION=$(echo "$RUN_JSON" | jq -r '.workflow_runs[0].conclusion // ""')
+          RUN_URL=$(echo "$RUN_JSON"    | jq -r '.workflow_runs[0].html_url   // ""')
+
+          case "$STATUS" in
+            completed)
+              case "$CONCLUSION" in
+                success)
+                  echo "Smoke test passed: $RUN_URL"
+                  exit 0
+                  ;;
+                skipped|neutral)
+                  echo "Smoke test was $CONCLUSION - treating as pass: $RUN_URL"
+                  exit 0
+                  ;;
+                *)
+                  echo "::error::Smoke test concluded as '$CONCLUSION': $RUN_URL"
+                  exit 1
+                  ;;
+              esac
+              ;;
+            missing)
+              echo "[$ELAPSED s] No smoke run yet for $HEAD_SHA"
+              ;;
+            *)
+              echo "[$ELAPSED s] Smoke status=$STATUS ($RUN_URL)"
+              ;;
+          esac
+
+          sleep "$POLL"
+        done
diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_bind:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container:

diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_cjose:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm to match packaging environment

diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   cmdtest_test:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: Command line test
     runs-on: ubuntu-22.04
     timeout-minutes: 20

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   codespell:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: Check for spelling errors
     runs-on: ubuntu-22.04
     timeout-minutes: 5

diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_curl:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container:

diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true, false ]
 
   libwolfprov-replace-default:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: libwolfprov ${{ matrix.replace_default && 'replace-default' || 'standalone' }} ${{ matrix.fips_ref }}
     runs-on: ubuntu-22.04
     needs: build_wolfprovider

diff --git a/.github/workflows/fips-ready.yml b/.github/workflows/fips-ready.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   fips_ready_test:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     name: FIPS Ready Bundle Test
     runs-on: ubuntu-22.04
     timeout-minutes: 20

diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml
@@ -5,13 +5,15 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -26,6 +28,7 @@ jobs:
         replace_default: [ true ]
 
   git-ssh-default-replace-test:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     container:
       image: debian:bookworm

diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_grpc:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container:

diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**']
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_hostap:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm with privileged access for UML

diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_iperf:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container:

diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_krb5:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container:

diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml
@@ -6,6 +6,7 @@ on:
     branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +15,7 @@ concurrency:
 
 jobs:
   build_wolfprovider:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     uses: ./.github/workflows/build-wolfprovider.yml
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
@@ -28,6 +30,7 @@ jobs:
         replace_default: [ true ]
 
   test_cryptsetup:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     container: