@@ -278,3 +278,37 @@ jobs:
278278 --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
279279 openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR;
280280 }" \
281+
282+ # Builds and tests Node.js with shared libraries against the BoringSSL
283+ # package available in the repo-pinned nixpkgs. This is opt-in for PRs using
284+ # the `test-shared-boringssl` label so the default shared-library coverage
285+ # remains OpenSSL-based.
286+ build-boringssl :
287+ if : github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'test-shared-boringssl')
288+ needs : build-aarch64-linux-v8
289+ name : ' aarch64-linux: with shared BoringSSL'
290+ runs-on : ubuntu-24.04-arm
291+ steps :
292+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
293+ with :
294+ persist-credentials : false
295+ sparse-checkout : .github/actions
296+ sparse-checkout-cone-mode : false
297+
298+ - uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
299+ if : ${{ needs.build-aarch64-linux-v8.outputs.local-cache }}
300+ with :
301+ name : libv8-aarch64-linux.nar
302+
303+ - uses : ./.github/actions/build-shared
304+ name : Build and test Node.js
305+ with :
306+ cachix-auth-token : ${{ secrets.CACHIX_AUTH_TOKEN }}
307+ # Override just the `openssl` attr of the default shared-lib set with
308+ # the BoringSSL package from the repo-pinned nixpkgs. All other
309+ # shared libs (brotli, cares, libuv, ...) keep their defaults.
310+ extra-nix-flags : |
311+ --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \
312+ --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
313+ openssl = (import $TAR_DIR/tools/nix/pkgs.nix {}).boringssl;
314+ }" \
0 commit comments