xmlsec · mxamin · Feb 16, 2026 · Feb 15, 2026
diff --git a/.github/scripts/manylinux_build_and_test.sh b/.github/scripts/manylinux_build_and_test.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+set -eu
+
+: "${PY_ABI:?PY_ABI is required}"
+: "${MANYLINUX_IMAGE:?MANYLINUX_IMAGE is required}"
+
+# Make local build helpers importable for isolated PEP 517 backend subprocesses.
+export PYTHONPATH="$PWD${PYTHONPATH:+:${PYTHONPATH}}"
+# Ensure dependency archives are read from the restored workspace cache even in isolated builds.
+export PYXMLSEC_LIBS_DIR="$PWD/libs"
+
+# Step: Install system build dependencies (manylinux only)
+echo "== [container] Step: Install system build dependencies (manylinux only) =="
+case "$MANYLINUX_IMAGE" in
+  manylinux*)
+    yum install -y perl-core
+    ;;
+esac
+
+# Step: Install python build dependencies
+echo "== [container] Step: Install python build dependencies =="
+/opt/python/${PY_ABI}/bin/pip install --upgrade pip setuptools wheel build 'setuptools_scm>=8'
+
+# Step: Set environment variables
+echo "== [container] Step: Set environment variables =="
+PKGVER=$(/opt/python/${PY_ABI}/bin/python setup.py --version)
+echo "PKGVER=$PKGVER"
+
+# Step: Build linux_x86_64 wheel
+echo "== [container] Step: Build linux_x86_64 wheel =="
+/opt/python/${PY_ABI}/bin/python -m build
+
+# Step: Label manylinux wheel
+echo "== [container] Step: Label manylinux wheel =="
+ls -la dist/
+auditwheel show dist/xmlsec-${PKGVER}-${PY_ABI}-linux_x86_64.whl
+auditwheel repair dist/xmlsec-${PKGVER}-${PY_ABI}-linux_x86_64.whl
+ls -la wheelhouse/
+auditwheel show wheelhouse/xmlsec-${PKGVER}-${PY_ABI}-*${MANYLINUX_IMAGE}*.whl
+
+# Step: Install test dependencies
+echo "== [container] Step: Install test dependencies =="
+/opt/python/${PY_ABI}/bin/pip install --upgrade -r requirements-test.txt
+/opt/python/${PY_ABI}/bin/pip install xmlsec --only-binary=xmlsec --no-index --find-links=wheelhouse/
+
+# Step: Run tests
+echo "== [container] Step: Run tests =="
+/opt/python/${PY_ABI}/bin/pytest -v --color=yes
+
+# Step: Fix mounted workspace file ownership on host
+echo "== [container] Step: Fix mounted workspace file ownership on host =="
+chown -R "${HOST_UID}:${HOST_GID}" dist wheelhouse build libs || true
diff --git a/.github/workflows/cache_libs.yml b/.github/workflows/cache_libs.yml
@@ -0,0 +1,134 @@
+name: Cache library dependencies
+
+on:
+  workflow_call:
+    inputs:
+      LIBICONV_VERSION:
+        default: "1.18"
+        required: false
+        type: string
+      LIBXML2_VERSION:
+        default: "2.14.6"
+        required: false
+        type: string
+      LIBXSLT_VERSION:
+        default: "1.1.43"
+        required: false
+        type: string
+      OPENSSL_VERSION:
+        default: "3.6.0"
+        required: false
+        type: string
+      XMLSEC1_VERSION:
+        default: "1.3.9"
+        required: false
+        type: string
+      ZLIB_VERSION:
+        default: "1.3.1"
+        required: false
+        type: string
+      WIN_LIBICONV_VERSION:
+        default: "1.18-1"
+        required: false
+        type: string
+      WIN_LIBXML2_VERSION:
+        default: "2.11.9-3"
+        required: false
+        type: string
+      WIN_LIBXSLT_VERSION:
+        default: "1.1.39"
+        required: false
+        type: string
+      WIN_OPENSSL_VERSION:
+        default: "3.0.16.pl1"
+        required: false
+        type: string
+      WIN_XMLSEC1_VERSION:
+        default: "1.3.7"
+        required: false
+        type: string
+      WIN_ZLIB_VERSION:
+        default: "1.3.1"
+        required: false
+        type: string
+
+    outputs:
+      LIBICONV_VERSION:
+        value: ${{ inputs.LIBICONV_VERSION }}
+      LIBXML2_VERSION:
+        value: ${{ inputs.LIBXML2_VERSION }}
+      LIBXSLT_VERSION:
+        value: ${{ inputs.LIBXSLT_VERSION }}
+      OPENSSL_VERSION:
+        value: ${{ inputs.OPENSSL_VERSION }}
+      XMLSEC1_VERSION:
+        value: ${{ inputs.XMLSEC1_VERSION }}
+      ZLIB_VERSION:
+        value: ${{ inputs.ZLIB_VERSION }}
+      WIN_LIBICONV_VERSION:
+        value: ${{ inputs.WIN_LIBICONV_VERSION }}
+      WIN_LIBXML2_VERSION:
+        value: ${{ inputs.WIN_LIBXML2_VERSION }}
+      WIN_LIBXSLT_VERSION:
+        value: ${{ inputs.WIN_LIBXSLT_VERSION }}
+      WIN_OPENSSL_VERSION:
+        value: ${{ inputs.WIN_OPENSSL_VERSION }}
+      WIN_XMLSEC1_VERSION:
+        value: ${{ inputs.WIN_XMLSEC1_VERSION }}
+      WIN_ZLIB_VERSION:
+        value: ${{ inputs.WIN_ZLIB_VERSION }}
+
+jobs:
+  cache_libs:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - "ubuntu-22.04"
+          - "ubuntu-22.04-arm"
+          - "macos-latest"
+          - "windows-2022"
+          - "windows-11-arm"
+
+    runs-on: ${{ matrix.os }}
+
+    env:
+      LIBICONV_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_LIBICONV_VERSION || inputs.LIBICONV_VERSION }}
+      LIBXML2_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_LIBXML2_VERSION || inputs.LIBXML2_VERSION }}
+      LIBXSLT_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_LIBXSLT_VERSION || inputs.LIBXSLT_VERSION }}
+      OPENSSL_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_OPENSSL_VERSION || inputs.OPENSSL_VERSION }}
+      XMLSEC1_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_XMLSEC1_VERSION || inputs.XMLSEC1_VERSION }}
+      ZLIB_VERSION: ${{ contains(matrix.os, 'windows-') && inputs.WIN_ZLIB_VERSION || inputs.ZLIB_VERSION }}
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Cache [libs]
+      uses: actions/cache@v4.3.0
+      with:
+        path: |
+          libs/*.xz
+          libs/*.gz
+          libs/*.zip
+        key: libs-${{ runner.os }}-${{ runner.arch }}-${{ env.LIBXML2_VERSION }}-${{ env.LIBXSLT_VERSION }}
+
+    - uses: actions/setup-python@v6
+      with:
+        python-version: "3.13"
+
+    - name: Install setuptools shim
+      run: python -m pip install --upgrade pip setuptools
+
+    - name: Download latest libraries
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: python build_libs_xmlsec.py --download-only
+
+    - name: Check Windows library versions
+      if: ${{ contains(matrix.os, 'windows-') }}
+      run: |
+        bash -c '
+        for file in  libs/iconv-${{ inputs.WIN_LIBICONV_VERSION }}.*.zip  libs/libxml2-${{ inputs.WIN_LIBXML2_VERSION }}.*.zip  libs/libxslt-${{ inputs.WIN_LIBXSLT_VERSION }}.*.zip  libs/openssl-${{ inputs.WIN_OPENSSL_VERSION }}.*.zip libs/xmlsec-${{ inputs.WIN_XMLSEC1_VERSION }}.*.zip libs/zlib-${{ inputs.WIN_ZLIB_VERSION }}.*.zip; do
+            [[ -f "$file" ]] || { echo "MISSING: $file" ; exit 1; }
+        done
+        '
diff --git a/.github/workflows/linuxbrew.yml b/.github/workflows/linuxbrew.yml
@@ -3,27 +3,34 @@ on: [push, pull_request]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref_name != 'master' }}
+
 jobs:
   linuxbrew:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         python: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+
     env:
       # For some unknown reason, linuxbrew tries to use "gcc-11" by default, which doesn't exist.
       CC: gcc
+
     steps:
       - uses: actions/checkout@v3
+
       - name: Install brew
         run: |
           sudo apt install -y build-essential procps curl file git
           /bin/bash -c "$(curl -fsSL https://raw-githubusercontent-com-gh.computerqwq.top/Homebrew/install/HEAD/install.sh)"
           echo "/home/linuxbrew/.linuxbrew/bin" >> $GITHUB_PATH
+
       - name: Install build dependencies
         run: |
           brew update
           brew install python@${{ matrix.python }} gcc libxml2 libxmlsec1 pkg-config
           echo "/home/linuxbrew/.linuxbrew/opt/python@${{ matrix.python }}/libexec/bin" >> $GITHUB_PATH
+
       - name: Build wheel
         run: |
           python3 -m venv build_venv
@@ -33,6 +40,7 @@ jobs:
           export LDFLAGS="-L$(brew --prefix)/lib"
           python3 -m build
           rm -rf build/
+
       - name: Run tests
         run: |
           python3 -m venv test_venv

diff --git a/.github/workflows/macosx.yml b/.github/workflows/macosx.yml
@@ -3,23 +3,47 @@ on: [push, pull_request]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref_name != 'master' }}
+
 jobs:
+  cache_libs:
+    uses: ./.github/workflows/cache_libs.yml
+    secrets: inherit
+
   macosx:
+    needs: cache_libs
     runs-on: macos-latest
+
+    env:
+      LIBXML2_VERSION: ${{ needs.cache_libs.outputs.LIBXML2_VERSION }}
+      LIBXSLT_VERSION: ${{ needs.cache_libs.outputs.LIBXSLT_VERSION }}
+
     strategy:
       matrix:
         python: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
         static_deps: ["static", ""]
+
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup Python
-        uses: actions/setup-python@v4
+      - uses: actions/checkout@v5.0.0
+
+      - name: Cache [libs]
+        id: cache-libs
+        uses: actions/cache/restore@v4.3.0
+        with:
+          path: |
+            libs/*.xz
+            libs/*.gz
+            libs/*.zip
+          key: libs-${{ runner.os }}-${{ runner.arch }}-${{ env.LIBXML2_VERSION }}-${{ env.LIBXSLT_VERSION }}
+
+      - uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
+
       - name: Install build dependencies
         run: |
           pip install --upgrade pip setuptools wheel build
           brew install libxml2 libxmlsec1 pkg-config
+
       - name: Build macosx_x86_64 wheel
         env:
           CC: clang
@@ -29,26 +53,38 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           export PKG_CONFIG_PATH="$(brew --prefix)/opt/libxml2/lib/pkgconfig"
-          export PYXMLSEC_LIBXML2_VERSION="$(pkg-config --modversion libxml-2.0)"
+          export PYXMLSEC_LIBS_DIR="$PWD/libs"
           python -m build
           rm -rf build/
+
       - name: Set environment variables
         shell: bash
         run: |
           echo "PKGVER=$(python setup.py --version)" >> $GITHUB_ENV
           echo "LLVM_PROFILE_FILE=pyxmlsec.profraw" >> $GITHUB_ENV
-      - name: Install test dependencies
+
+      - name: Install test dependencies (static only)
+        if: matrix.static_deps == 'static'
+        run: |
+          pip install coverage --upgrade -r requirements-test.txt
+          pip install xmlsec --only-binary=xmlsec --no-index --find-links=dist/
+
+
+      - name: Install test dependencies (non-static only)
+        if: matrix.static_deps != 'static'
         run: |
           export PKG_CONFIG_PATH="$(brew --prefix)/opt/libxml2/lib/pkgconfig"
           pip install coverage --upgrade --no-binary=lxml -r requirements-test.txt
           pip install xmlsec --only-binary=xmlsec --no-index --find-links=dist/
           echo "PYXMLSEC_LIBFILE=$(python -c 'import xmlsec; print(xmlsec.__file__)')" >> $GITHUB_ENV
+
       - name: Run tests
         run: |
           coverage run -m pytest -v --color=yes
+
       - name: Report coverage to codecov
+        if: matrix.static_deps != 'static'
         run: |
           /Library/Developer/CommandLineTools/usr/bin/llvm-profdata merge -sparse ${{ env.LLVM_PROFILE_FILE }} -output pyxmlsec.profdata
           /Library/Developer/CommandLineTools/usr/bin/llvm-cov show ${{ env.PYXMLSEC_LIBFILE }} --arch=$(uname -m) --instr-profile=pyxmlsec.profdata src > coverage.txt
           bash <(curl -s https://codecov.io/bash) -f coverage.txt
-        if: matrix.static_deps != 'static'