From ab8ccaed2479bf7d019b3aa25f22299546e23828 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 22 Jan 2026 02:45:10 +0100
Subject: [PATCH] GHA/linux: move mbedTLS and wolfSSL valgrind jobs to arm64

For significantly better performance.

AM wolfssl-opensslextra valgrind 1:  6m53s -> 4m15s
AM wolfssl-opensslextra valgrind 2:  6m47s -> 4m25s
CM mbedtls gss valgrind 1:           8m33s -> 4m31s
CM mbedtls gss valgrind 2:           8m39s -> 4m34s
('after' times corrected for 'install prereq' differences)

before: https://github.com/curl/curl/actions/runs/21255607562
after: https://github.com/curl/curl/actions/runs/21257368016

Also tried rustls, but that'd require linux arm64 release binaries at:
https://github.com/rustls/rustls-ffi/releases

Closes #20392
---
 .github/workflows/linux.yml | 52 +++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 4ed36b6741..4ef3a5c75f 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -104,37 +104,40 @@ jobs:
             configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-all/lib --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug
 
           - name: 'wolfssl-opensslextra valgrind 1'
+            image: ubuntu-24.04-arm
             install_packages: valgrind
-            install_steps: wolfssl-opensslextra
+            install_steps: wolfssl-opensslextra-arm
             tflags: '--min=780 1 to 950'
             configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
 
           - name: 'wolfssl-opensslextra valgrind 2'
+            image: ubuntu-24.04-arm
             install_packages: valgrind
-            install_steps: wolfssl-opensslextra
+            install_steps: wolfssl-opensslextra-arm
             tflags: '--min=800 951 to 9999'
             configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
 
           - name: 'mbedtls gss valgrind 1'
+            image: ubuntu-24.04-arm
             install_packages: libnghttp2-dev libidn2-dev libldap-dev libgss-dev valgrind
-            install_steps: mbedtls-latest-intel
+            install_steps: mbedtls-latest-arm
             tflags: '--min=830 1 to 950'
             LDFLAGS: -Wl,-rpath,/home/runner/mbedtls/lib
             PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig
             generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_USE_GSSAPI=ON -DCURL_DROP_UNUSED=ON
 
           - name: 'mbedtls gss valgrind 2'
+            image: ubuntu-24.04-arm
             install_packages: libnghttp2-dev libidn2-dev libldap-dev libgss-dev valgrind
-            install_steps: mbedtls-latest-intel
+            install_steps: mbedtls-latest-arm
             tflags: '--min=800 951 to 9999'
             LDFLAGS: -Wl,-rpath,/home/runner/mbedtls/lib
             PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig
             generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_USE_GSSAPI=ON
 
           - name: 'mbedtls clang'
-            image: ubuntu-24.04-arm
             install_packages: libssh-dev libnghttp2-dev libldap-dev clang
-            install_steps: mbedtls-latest-arm pytest
+            install_steps: mbedtls-latest-intel pytest
             configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/mbedtls/lib --with-mbedtls=/home/runner/mbedtls --with-libssh --enable-debug --with-fish-functions-dir --with-zsh-functions-dir
 
           - name: 'mbedtls-prev'
@@ -275,7 +278,7 @@ jobs:
 
           - name: 'clang-tidy'
             install_packages: clang-tidy libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev
-            install_steps: skipall mbedtls-latest-intel rustls wolfssl-opensslextra
+            install_steps: skipall mbedtls-latest-intel rustls wolfssl-opensslextra-intel
             install_steps_brew: gsasl
             make-custom-target: tidy
             LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib
@@ -287,7 +290,7 @@ jobs:
 
           - name: 'scan-build'
             install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libgss-dev librtmp-dev libgnutls28-dev
-            install_steps: skipall mbedtls-latest-intel rustls wolfssl-opensslextra
+            install_steps: skipall mbedtls-latest-intel rustls wolfssl-opensslextra-intel
             install_steps_brew: gsasl
             CC: clang
             configure-prefix: scan-build
@@ -539,18 +542,39 @@ jobs:
             --disable-benchmark --disable-crypttests --disable-examples --prefix=/home/runner/wolfssl-all
           make install
 
-      - name: 'cache wolfssl (opensslextra)'  # does support `OPENSSL_COEXIST`
-        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra') }}
+      - name: 'cache wolfssl (opensslextra-intel)'  # does support `OPENSSL_COEXIST`
+        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra-intel') }}
         uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        id: cache-wolfssl-opensslextra
+        id: cache-wolfssl-opensslextra-intel
         env:
-          cache-name: cache-wolfssl-opensslextra
+          cache-name: cache-wolfssl-opensslextra-intel
         with:
           path: ~/wolfssl-opensslextra
           key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.WOLFSSL_VERSION }}
 
-      - name: 'build wolfssl (opensslextra)'
-        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra') && steps.cache-wolfssl-opensslextra.outputs.cache-hit != 'true' }}
+      - name: 'build wolfssl (opensslextra-intel)'
+        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra-intel') && steps.cache-wolfssl-opensslextra-intel.outputs.cache-hit != 'true' }}
+        run: |
+          curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
+            --location "https://github.com/wolfSSL/wolfssl/archive/v${WOLFSSL_VERSION}-stable.tar.gz" | tar -xz
+          cd "wolfssl-${WOLFSSL_VERSION}-stable"
+          ./autogen.sh
+          ./configure --disable-dependency-tracking --enable-tls13 --enable-harden --enable-ech --enable-opensslextra \
+            --disable-benchmark --disable-crypttests --disable-examples --prefix=/home/runner/wolfssl-opensslextra
+          make install
+
+      - name: 'cache wolfssl (opensslextra-arm)'  # does support `OPENSSL_COEXIST`
+        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra-arm') }}
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        id: cache-wolfssl-opensslextra-arm
+        env:
+          cache-name: cache-wolfssl-opensslextra-arm
+        with:
+          path: ~/wolfssl-opensslextra
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.WOLFSSL_VERSION }}
+
+      - name: 'build wolfssl (opensslextra-arm)'
+        if: ${{ contains(matrix.build.install_steps, 'wolfssl-opensslextra-arm') && steps.cache-wolfssl-opensslextra-arm.outputs.cache-hit != 'true' }}
         run: |
           curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
             --location "https://github.com/wolfSSL/wolfssl/archive/v${WOLFSSL_VERSION}-stable.tar.gz" | tar -xz