Add optional branch alignment support using feature probe

- Enables `-Wa,-mbranches-within-32B-boundaries` only on x86 with GCC ≥8
- Skips it for Clang or unsupported compilers
- Uses feature probing to detect support

ci: remove S2N_TEST_IN_FIPS_MODE (aws#4994)

Migrate PQ Rust code to TLS 1.3 (aws#4998)

chore: add new team member (aws#5006)

chore(s2n-tls-hyper): Publish s2n-tls-hyper (aws#5000)

ci: add script to help launch stuck codebuild jobs (aws#5004)

ci: config logging for integration tests (aws#4751)

Co-authored-by: Doug Chapman <[email protected]>

Migrate PQ Python code to TLS 1.3 (aws#4999)

fix: don't prefix empty string when interning (aws#5015)

chore: remove unused imports (aws#5017)

fix(bindings/bench): Prevent IO from going out of scope (aws#5007)

ci: commit integrationv2 small batch spec (aws#5020)

ci: keep start_codebuild.sh up-to-date (aws#5023)

chore: remove unused test utils (aws#5005)

ci: improve output of validate_start_codebuild_script (aws#5031)

refactor(bin): remove references to FIPS_mode_set (aws#5026)

chore: improve the dashboard comment query (aws#5016)

tests: make integV2 locally runnable (aws#5029)

feature: remove openssl-1.0.2-fips fips mode support (aws#5030)

chore: run more checks on pushes to main (aws#4963)

fix: add build specs to copyright check (aws#5025)

fix(bindings): Specify correct minimum versions (aws#5028)

ci: add timeout for cbmc proof (aws#5038)

Co-authored-by: Boquan Fang <[email protected]>

test: add sslv2 client hello test w/ jvm (aws#5019)

Co-authored-by: Lindsay Stewart <[email protected]>

docs: add C / s2n-tls-sys doc references to s2n-tls docs (aws#5012)

Add Security Policy Deprecation API (aws#5034)

Co-authored-by: James Mayclin <[email protected]>
Co-authored-by: Lindsay Stewart <[email protected]>

ci: add openssl-3.0-fips builds (aws#5037)

fix: initial config should not influence sslv2 (aws#4987)

Co-authored-by: maddeleine <[email protected]>

chore: bindings release for 0.3.10 (aws#5046)

Co-authored-by: Boquan Fang <[email protected]>

chore: bump osx Openssl to latest (aws#5041)

Signed-off-by: Rui Chen <[email protected]>
Co-authored-by: Rui Chen <[email protected]>

chore: fix typos (aws#5052)

build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group (aws#5053)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

ci: pin duvet version (aws#5057)

refactor: remove openssl-1.0.2-fips 'allow md5' logic (aws#5048)

ci: Adding integ tests back to integv2 (aws#5054)

refactor: cleanup CBMC proofs after aws#5048 (aws#5058)

feat(bench): impl into for base config type (aws#5056)

Revert "ci: remove openssl-1.0.2-fips builds (aws#4995)" (aws#5060)

ci: change rust-toolchain format to toml (aws#5070)

ci: Emit benchmark metrics from scheduled runs (aws#5064)

fix(bindings): prevent temp connection free after panic (aws#5067)

docs(integv2): add architecture diagram (aws#5072)

docs(s2n-tls-hyper): Add hyper client/server example (aws#5069)

ci: fix dependabot, commit & check Cargo.toml (aws#5065)

Co-authored-by: Sam Clark <[email protected]>

fix(integration): Update PQ integration test expectations (aws#5082)

fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (aws#5076)

fix: calculation of session ticket age (aws#5001)

Co-authored-by: Boquan Fang <[email protected]>

fix: error for uninit psk, check for all-zero psk (aws#5084)

fix: don't use DEPENDS with add_custom_command(TARGET) (aws#5074)

fix(ci): Allow validate_start_codebuild to run on pushes to main (aws#5080)

test: add minimal openssl-3.0-fips test (aws#5081)

feat(bindings): add external psk apis (aws#5061)

Fixed formatting for debugging statements (aws#5094)

chore: ktls buildspec (aws#5083)

chore: bindings release 0.3.11 (aws#5098)

fix(integrationv2): Skip unsupported client auth tests (aws#5096)

Co-authored-by: James Mayclin <[email protected]>

build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory (aws#5107)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

refactor: remove s2n_hmac_is_available (aws#5104)

refactor: remove unused evp support for md5+sha1 (aws#5106)

fix: allow b64 decoding using libcrypto for sidechannel resistance (aws#5103)

Co-authored-by: Sam Clark <[email protected]>
Co-authored-by: Doug Chapman <[email protected]>

fix: don't enable custom random for openssl fips (aws#5093)

Co-authored-by: Sam Clark <[email protected]>

ci: add default provider to openssl-3.0-fips (aws#5114)

Revert "refactor: remove unused evp support for md5+sha1 (aws#5106)" (aws#5118)

Add new security policy (20250211) (aws#5111)

refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (aws#5117)

bindings: unpin openssl crate from a specific patch version (aws#5120)

Co-authored-by: Boquan Fang <[email protected]>

chore: fix a typo in API comments (aws#5123)

Co-authored-by: Boquan Fang <[email protected]>

build(deps): update rand requirement (aws#5125)

Co-authored-by: Boquan Fang <[email protected]>

fix(bindings): make Context borrow immutable (aws#5071)

feat: Option to disable RAND engine override (aws#5108)

refactor: use EVP_MD_fetch() if available (aws#5116)

Co-authored-by: Sam Clark <[email protected]>

chore: binding release 0.3.12 (aws#5128)

Co-authored-by: Boquan Fang <[email protected]>

fix(bindings): remove mutation behind Arc (aws#5124)

chore: remove unused well-known-endpoints.py (aws#5127)

feat: add async cert validation support (aws#5110)

ci: add check for third-party-src in disable rand override buildspec (aws#5137)

Co-authored-by: Boquan Fang <[email protected]>

refactor: always use EVP hashing (aws#5121)

fix: update callback return value (aws#5136)

ci: always set values for command line defines (aws#5126)

tests: use sig schemes as source of truth for valid hash+sig algs (aws#5129)

build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory (aws#5087)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

test(integv2): fixes to allow test_record_padding to partially run (aws#5099)

Co-authored-by: James Mayclin <[email protected]>

chore(nix): Add aws-lc-fips 2022/4 (aws#5109)

Co-authored-by: Lindsay Stewart <[email protected]>

Ruff Formatting and add to CI (aws#5138)

Co-authored-by: James Mayclin <[email protected]>

feat(bindings): expose context on cert chain (aws#5132)

Co-authored-by: Sam Clark <[email protected]>

refactor: cleanup prf header (aws#5144)

refactor: add alternative EVP signing method (aws#5141)

fix: memory leak during STEK rotation (aws#5146)

chore(ci): make the awslc fips install script version aware (aws#5100)

Co-authored-by: Lindsay Stewart <[email protected]>
Co-authored-by: Sam Clark <[email protected]>

refactor: remove unused prf hmac impls (aws#5148)

chore(bindings): change in rustup behavior (aws#5160)

chore: git-blame-ignore ruff formatting (aws#5151)

tests: try to make s2n_mem_usage_test more useful (aws#5139)

Co-authored-by: Sam Clark <[email protected]>

chore(ci): pin symbolic-common (aws#5166)

chore: binding release 0.3.13 (aws#5167)

refactor: add libcrypto PRF impl for openssl-3.0-fips (aws#5158)

build(deps): bump nixbuild/nix-quick-install-action from 29 to 30 in /.github/workflows in the all-gha-updates group (aws#5153)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

style: fix redundant return (aws#5150)

chore: update git blame ignore commit ID (aws#5164)

tests: fix flaky ja4 test (aws#5169)

fix: mark chachapoly as unavailable with openssl-3.0-fips (aws#5168)

fix(ruff): resolve linting errors detected by Ruff (aws#5140)

chore: pin once_cell version to unblock the CI (aws#5174)

Co-authored-by: Boquan Fang <[email protected]>

ci: use ruff --diff instead of --check (aws#5177)

(docs): Improve PQ docs (aws#5173)

Co-authored-by: Sam Clark <[email protected]>

test(integv2): add partial support for OpenSSL 3.0 provider (aws#5131)

Co-authored-by: James Mayclin <[email protected]>

ci: make start_codebuild.sh work for forks (aws#5178)

chore: add inline noqa suppression (aws#5159)

test: reduce parameter selection (aws#5161)

test: fix self-talk pkey offload test for openssl-3.0-fips (aws#5175)

build(deps): update aws-lc-rs version to remove paste deps (aws#5192)

Co-authored-by: Boquan Fang <[email protected]>

chore: bump linting action Ubuntu version (aws#5186)

Co-authored-by: Boquan Fang <[email protected]>

ci: cleanup awslc-fips versioning (aws#5156)

chore: include Need By Date section in github issue template (aws#5187)

Co-authored-by: Boquan Fang <[email protected]>

ci: move openssl3fips build to existing asan build (aws#5181)

fix: openssl-3.0-fips should use separate private rand (aws#5184)

fix: remove unnecessary RC4 restriction (aws#5170)

fix: openssl-3.0-fips should use libcrypto HKDF (aws#5183)

Co-authored-by: Sam Clark <[email protected]>

ci: defend against unset version number in awslc installer (aws#5195)

feature: openssl-3.0-fips support (aws#5191)

ci: add libcrypto openssl-3.0-fips to integ tests (aws#5202)

ci: add openssl-3.0-fips to asan build properly (aws#5204)

fix: handshake message length integer overflow in s2n_handshake_finish_header (aws#5206)

Co-authored-by: Boquan Fang <[email protected]>

chore: deprecate s2n_set (aws#5155)

chore: binding release 0.3.14 (aws#5210)

Remove PQ TLS 1.2 from all Security Policies (aws#5194)

ci: exclude new setuptools (aws#5215)

fix: Update README.md to include Rust bindings docs (aws#5212)

feat: add s2n_connection_get_key_exchange_group (aws#5209)

chore: bindings release 0.3.15 (aws#5221)

ci: add openssl-3.0-fips to valgrind (aws#5211)

docs: fix openssl-3.0-fips provider requirements documentation (aws#5214)

refactor(bindings): use implicit linking for aws-lc (aws#5218)

fix: tighten session ticket lifetime (aws#5217)

ci: Fix cppcheck build (aws#5238)

refactor: implement match the same for all pkeys (aws#5224)

ci: add openssl-3.0-fips to general batch (aws#5207)

refactor: add evp pkey size/encrypt/decrypt methods (aws#5225)

feat(bindings): expose certificate match api (aws#5220)

Co-authored-by: James Mayclin <[email protected]>

ci: add ruff linting (aws#5182)

ci: pin nix installer to older version (aws#5245)

chore: Fix new clippy warning (aws#5243)

Co-authored-by: Boquan Fang <[email protected]>

ci: rebalance integV2 testcases (aws#5232)

fix: tainted handshake.io and add large client hello test (aws#5208)

Co-authored-by: Boquan Fang <[email protected]>

chore: bindings release 0.3.16 (aws#5242)

Co-authored-by: Boquan Fang <[email protected]>

refactor: remove legacy pkey impls (aws#5241)

Revert "ci: exclude new setuptools (aws#5215)" (aws#5226)

fix: make -fPIC flag private (aws#5227)

Co-authored-by: Souvik Banerjee <[email protected]>

doc: tainted stuffer reset operation (aws#5231)

Co-authored-by: Boquan Fang <[email protected]>

feat: Expose `as_ptr()` for external build (aws#5229)

ci: pytest generate junit reports (aws#5235)

add compiler flag

added c check x86 and correct compiler

cmake fix

testing

removed clang

Print statements

compiler check

print

find clang

branch probing

removed individual probing

removed old unneeded changes

added back original line

fixed .c file

ci: use correct openssl version for updated AL2023 version (aws#5255)

chore(ci): revert nix installer pin (aws#5251)

ci: add awslcfips to nix jobs (aws#5205)

Co-authored-by: Copilot <[email protected]>

moved adding options to the bottom

copmiler debug prints

clang printout

remove setting compiler to clang

set clang as default

remove clang

move fuzz cmake into it's own directory

fixed path to fuzz

back to original

only branch if we're not fuzz tests

add clang back now

removed debugging prints

removed checking for compiler

testing move back original block

removed feature probe messaging because we already have them

Author: lrstewart

.git-blame-ignore-revs

@@ -39,3 +39,5 @@ f5351ef6629d1f6de144ab478bf4294ec277b321
 e8cdc1ae63ff1de6f14cf91e3c317fbf57c198ec
 # clang-format `utils/` and enforce in ci (#3651)
 be8ad6c027b50e9dc86d8f8eb729ce88f2d4206d
+# Ruff format updated CI and code (#5138)
+ac1d09851b4d625f83d1fa68b467abbca8fdd408

.github/ISSUE_TEMPLATE/custom.md

@@ -17,6 +17,10 @@ AWS Security via our [vulnerability reporting page](http://aws.amazon.com/securi
 
 A short description of what the problem is and why we need to fix it. Add reproduction steps if necessary.
 
+### Need By Date:
+
+Do you have a date that you need this issue resolved by? What is the reason for that date, and what are the consequences of missing it? Any additional information you can provide to help prioritize the issue is appreciated. However, we cannot guarantee that this issue will be fixed by the requested date.
+
 ### Solution:
 
 A description of the possible solution in terms of S2N architecture. Highlight and explain any potentially controversial design decisions taken.

.github/ISSUE_TEMPLATE/s2n-issue.md

@@ -16,6 +16,10 @@ AWS Security via our [vulnerability reporting page](http://aws.amazon.com/securi
 
 A short description of what the problem is and why we need to fix it. Add reproduction steps if necessary.
 
+### Need By Date:
+
+Do you have a date that you need this issue resolved by? What is the reason for that date, and what are the consequences of missing it? Any additional information you can provide to help prioritize the issue is appreciated. However, we cannot guarantee that this issue will be fixed by the requested date.
+
 ### Solution:
 
 A description of the possible solution in terms of S2N architecture. Highlight and explain any potentially controversial design decisions taken.

.github/dependabot.yml

@@ -31,6 +31,7 @@ updates:
   # restricted-MSRV, so don't do batch updates
   - package-ecosystem: "cargo"
     directories:
-      - "/bindings/rust"
+      - "/bindings/rust/standard"
+      - "/bindings/rust/extended"
     schedule:
       interval: "daily"

.github/install_osx_dependencies.sh

@@ -26,4 +26,4 @@ brew_install_if_not_installed coreutils
 brew_install_if_not_installed cppcheck
 brew_install_if_not_installed pkg-config  # for gnutls compilation
 brew_install_if_not_installed ninja
-brew_install_if_not_installed openssl@1.1 # for libcrypto
+brew_install_if_not_installed openssl@3 # for libcrypto

.github/s2n_osx.sh

@@ -14,25 +14,25 @@
 # permissions and limitations under the License.
 #
 set -eu
-source codebuild/bin/s2n_setup_env.sh
 
+export S2N_LIBCRYPTO=openssl-3.4
 export CTEST_OUTPUT_ON_FAILURE=1
-BREWINSTLLPATH=$(brew --prefix openssl@1.1)
-OPENSSL_1_1_1_INSTALL_DIR="${BREWINSTLLPATH:-"/usr/local/Cellar/openssl@1.1/1.1.1?"}"
+BREWINSTLLPATH=$(brew --prefix openssl@3)
+OPENSSL_3_INSTALL_DIR="${BREWINSTLLPATH:-"/opt/homebrew/Cellar/openssl@3"}"
 
-echo "Using OpenSSL at $OPENSSL_1_1_1_INSTALL_DIR"
+echo "Using OpenSSL at $OPENSSL_3_INSTALL_DIR"
 # Build with debug symbols and a specific OpenSSL version
 cmake . -Bbuild -GNinja \
 -DCMAKE_BUILD_TYPE=Debug \
--DCMAKE_PREFIX_PATH=${OPENSSL_1_1_1_INSTALL_DIR} ..
+-DCMAKE_PREFIX_PATH=${OPENSSL_3_INSTALL_DIR} ..
 
 cmake --build ./build -j $(nproc)
 time CTEST_PARALLEL_LEVEL=$(nproc) ninja -C build test
 
 # Build shared library
 cmake . -Bbuild -GNinja \
 -DCMAKE_BUILD_TYPE=Debug \
--DCMAKE_PREFIX_PATH=${OPENSSL_1_1_1_INSTALL_DIR} .. \
+-DCMAKE_PREFIX_PATH=${OPENSSL_3_INSTALL_DIR} .. \
 -DBUILD_SHARED_LIBS=ON
 
 cmake --build ./build -j $(nproc)

.github/teams.yml

@@ -8,4 +8,5 @@ s2n-core:
   - '@jmayclin'
   - '@jouho'
   - '@boquan-fang'
-  - '@CarolYeh910'
+  - '@CarolYeh910'
+  - '@johubertj'

.github/workflows/bench.yml

@@ -1,6 +1,8 @@
 name: Benchmarking
 
 on:
+  pull_request:
+    branches: [main]
   push:
     branches: [main]
   schedule:
@@ -29,23 +31,26 @@ jobs:
           pip3 install "boto3[crt]"
 
       - name: Generate
-        working-directory: bindings/rust
+        working-directory: bindings/rust/extended
         run: ./generate.sh --skip-tests
 
       - name: Benchmark
-        working-directory: bindings/rust/bench
+        working-directory: bindings/rust/standard/bench
         run: cargo criterion --message-format json > criterion_output.log
 
       - name: Configure AWS Credentials
-        uses: aws-actions/[email protected]
+        # Only continue with the workflow to emit metrics on code that has been merged to main.
+        if: github.event_name != 'pull_request'
+        uses: aws-actions/[email protected]
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: s2ntlsghabenchsession
           aws-region: us-west-2
 
       - name: Emit CloudWatch metrics
+        if: github.event_name != 'pull_request'
         run: |
           python3 .github/bin/criterion_to_cloudwatch.py \
-            --criterion_output_path bindings/rust/bench/criterion_output.log \
+            --criterion_output_path bindings/rust/standard/bench/criterion_output.log \
             --namespace s2n-tls-bench \
             --platform ${{ runner.os }}-${{ runner.arch }}

.github/workflows/ci_compliance.yml

@@ -31,6 +31,7 @@ jobs:
       - name: Run duvet action
         uses: ./s2n-quic/.github/actions/duvet
         with:
+          duvet-version: 0.3.0 # Pin until we fix parsing issues
           s2n-quic-dir: ./s2n-quic
           report-script: compliance/generate_report.sh
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole

.github/workflows/ci_freebsd.yml

@@ -1,6 +1,8 @@
 name: FreeBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

.github/workflows/ci_linting.yml

@@ -1,17 +1,16 @@
 ---
 name: Linters
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
     types: [checks_requested]
     branches: [main]
 jobs:
   cppcheck:
-    # ubuntu-latest introduced a newer gcc version that cannot compile cppcheck 2.3
-    # TODO: upgrade to latest cppcheck and revert to ubuntu-latest
-    #       see https://github.com/aws/s2n-tls/issues/3656
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       CPPCHECK_INSTALL_DIR: test-deps/cppcheck
     steps:
@@ -72,21 +71,40 @@ jobs:
         run: |
           ./codebuild/bin/run_kwstyle.sh
           ./codebuild/bin/cpp_style_comment_linter.sh
-  pepeight:
+
+  ruff:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v4
-      - name: Run autopep8
-        id: autopep8
-        uses: peter-evans/autopep8@v2
-        with:
-          args: --diff --exit-code .
-      - name: Check exit code
-        if: steps.autopep8.outputs.exit-code != 0
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run Ruff formatting check
+        working-directory: tests/integrationv2
+        id: ruff_format
+        run: uv run ruff format --diff .
+        continue-on-error: true
+
+      - name: Check format exit code
+        if: steps.ruff_format.outcome == 'failure'
         run: |
-            echo "Run 'autopep8 --in-place .' to fix"
+            echo "Run 'ruff format .' to fix formatting issues"
             exit 1
+
+      - name: Run Ruff lint check
+        working-directory: tests/integrationv2
+        id: ruff_lint
+        run: uv run ruff check .
+        continue-on-error: true
+
+      - name: Check lint exit code
+        if: steps.ruff_lint.outcome == 'failure'
+        run: |
+          echo "Linting issues detected. Run 'ruff check .' locally to see errors and fix them."
+          exit 1
+
   clang-format:
     runs-on: ubuntu-latest
     steps:
@@ -101,7 +119,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: nixbuild/nix-quick-install-action@v29
+      - uses: nixbuild/nix-quick-install-action@v30
         with:
           nix_conf: experimental-features = nix-command flakes
       - name: nix flake check
@@ -110,7 +128,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: nixbuild/nix-quick-install-action@v29
+      - uses: nixbuild/nix-quick-install-action@v30
         with:
           nix_conf: experimental-features = nix-command flakes
       - name: nix fmt
@@ -128,3 +146,45 @@ jobs:
           exit 1
       - name: Success
         run: echo "All nix files passed format check"
+        
+  validate_start_codebuild_script:
+    name: validate start_codebuild.sh
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: pause
+        run: "sleep 120"
+      - name: retrieve statuses
+        id: get_statuses
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/{repo}/commits/{ref}/statuses?per_page=100
+          repo: ${{ github.repository }}
+          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha || github.event.after }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: check start_codebuild.sh against statuses
+        id: github_builds
+        run: |
+            from_github=$(
+                jq '.[] | .description' <<< '${{ steps.get_statuses.outputs.data }}' \
+                    | grep "for project" \
+                    | sed -r "s/^.*?for project (.*?)\"$/\1/" \
+                    | sort -u
+            )
+            if [ -z "$from_github" ]; then
+                echo "No codebuild job statuses!"
+                echo "You may need to kick off the codebuild jobs with" \
+                    "./codebuild/bin/start_codebuild.sh and then retry."
+                exit 1
+            fi
+            echo builds from github statuses:
+            printf "$from_github\n\n"
+            from_file=$(
+                source codebuild/bin/start_codebuild.sh > /dev/null \
+                || printf "%s\n" "${BUILDS[@]}" | cut -d" " -f1 | sort -u
+            )
+            echo builds from start_codebuild.sh:
+            printf "$from_file\n\n"
+            echo "diff output:"
+            diff <(echo "$from_github") <(echo "$from_file")

.github/workflows/ci_openbsd.yml

@@ -1,6 +1,8 @@
 name: OpenBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -15,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build and test in OpenBSD
         id: test
-        uses: cross-platform-actions/action@v0.26.0
+        uses: cross-platform-actions/action@v0.27.0
         with:
           operating_system: openbsd
           architecture: x86-64