perf: cache BoringSSL builds across Python versions on Linux

arman-bd · claude · arman-bd · commit ed1295014660 · 2025-10-12T04:39:24.000+02:00
Optimize Linux wheel builds to reduce time from ~40 minutes to ~10 minutes by reusing BoringSSL builds across Python versions. Changes: 1. Modified scripts/linux/setup_vendors.sh to check for existing built libraries BEFORE removing the directory, allowing cibuildwheel to reuse builds across Python versions 2. The script now: - Checks if boringssl/build contains valid libssl.a and libcrypto.a - Only removes and rebuilds if libraries are missing or invalid - Skips expensive 5-10 minute BoringSSL build for Python versions 2-7 3. Updated cache key to v11 to ensure clean state with new logic How it works: - First Python version (cp38) builds BoringSSL (~5-10 min) - Subsequent Python versions (cp39-cp314) reuse the build (~10 sec each) - Total build time: ~10-15 min instead of ~40 min The vendor directory is mounted into each cibuildwheel manylinux container, so builds persist across Python versions within the same CI run. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/_build_linux.yml b/.github/workflows/_build_linux.yml
@@ -27,32 +27,33 @@ jobs:
         cache: true
 
     # Cache vendor dependencies to speed up builds
-    # Note: For Linux, vendors are built inside manylinux container, so we cache the vendor directory
     - name: Restore vendor cache
       id: cache-vendor
       uses: actions/cache/restore@v4
       with:
         path: vendor
-        key: vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v10
+        key: vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v11
         restore-keys: |
-          vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v10
+          vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v11
 
     # Build wheels with cibuildwheel (handles manylinux containers)
-    # The vendor directory is mounted into the container automatically
+    # The vendor directory is mounted into the container and shared across Python versions
+    # The setup script will skip rebuilding if libraries already exist
     - name: Build wheels
       uses: pypa/cibuildwheel@v2.22.0
       env:
         # Build for specified Python versions
         CIBW_BUILD: cp38-manylinux_x86_64 cp39-manylinux_x86_64 cp310-manylinux_x86_64 cp311-manylinux_x86_64 cp312-manylinux_x86_64 cp313-manylinux_x86_64 cp314-manylinux_x86_64
         # Vendor build happens inside manylinux container via before-build (from pyproject.toml)
+        # The script will detect cached libraries and skip rebuilding
 
     # Save vendor cache after build
     - name: Save vendor cache
       if: steps.cache-vendor.outputs.cache-hit != 'true'
       uses: actions/cache/save@v4
       with:
         path: vendor
-        key: vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v10
+        key: vendor-linux-manylinux-${{ hashFiles('scripts/linux/setup_vendors.sh') }}-v11
 
     # Setup Python versions for testing
     - name: Setup Python versions
diff --git a/scripts/linux/setup_vendors.sh b/scripts/linux/setup_vendors.sh
@@ -28,20 +28,20 @@ cd "$VENDOR_DIR"
 #
 echo "==> Setting up BoringSSL..."
 
-# Always remove and re-clone BoringSSL to ensure clean state
-# This prevents platform cross-contamination (e.g., macOS files on Linux runners)
-if [ -d "boringssl" ]; then
-    echo "Removing existing BoringSSL directory to ensure clean build..."
-    rm -rf boringssl
-fi
-
-echo "Cloning BoringSSL..."
-git clone --depth 1 https://boringssl.googlesource.com/boringssl
+# Check if BoringSSL is already built with valid libraries
+if [ -d "boringssl/build" ] && [ -f "boringssl/build/libssl.a" ] && [ -f "boringssl/build/libcrypto.a" ]; then
+    echo "✓ BoringSSL already built (using cached build)"
+else
+    # Remove any incomplete or contaminated BoringSSL directory
+    if [ -d "boringssl" ]; then
+        echo "Removing existing BoringSSL directory to ensure clean build..."
+        rm -rf boringssl
+    fi
 
-cd boringssl
+    echo "Cloning BoringSSL..."
+    git clone --depth 1 https://boringssl.googlesource.com/boringssl
 
-# Check if already built
-if [ ! -f "build/libssl.a" ]; then
+    cd boringssl
     echo "Building BoringSSL..."
 
     # Check for required tools
@@ -54,12 +54,6 @@ if [ ! -f "build/libssl.a" ]; then
         echo "WARNING: go not found. BoringSSL will build without some tests."
     fi
 
-    # Clean build directory if it exists (in case of previous failed build)
-    if [ -d "build" ]; then
-        echo "Cleaning previous build..."
-        rm -rf build
-    fi
-
     mkdir -p build
     cd build
 
@@ -78,6 +72,7 @@ if [ ! -f "build/libssl.a" ]; then
     # BoringSSL's CMake is incorrectly trying to use Apple assembly files on Linux
     # Using -DOPENSSL_NO_ASM=1 forces pure C implementations instead
     echo "Building BoringSSL with assembly disabled to avoid platform detection issues..."
+    echo "(This may take 5-10 minutes on first build, but will be cached for subsequent builds)"
 
     cmake -DCMAKE_BUILD_TYPE=Release \
           -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
@@ -95,8 +90,6 @@ if [ ! -f "build/libssl.a" ]; then
         echo "Cleaning up .git directory to save cache space..."
         rm -rf .git
     fi
-else
-    echo "✓ BoringSSL already built"
 fi
 
 cd "$VENDOR_DIR"
