From a104f8ac4376ced7bd5a252757ab2c6f6b7efa5b Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 14 Jul 2025 21:19:58 +0000
Subject: [PATCH 01/17] Adapt @hugovk's proof-of-concept CI definition refactor

Suggested by @hugovk [1].

[1]: https://github.com/hugovk/cpython/commit/a3f2ba9eb0c9bd1927d9a34faed98234afe88c70
---
 .github/workflows/build.yml           | 131 +++++++-------------------
 .github/workflows/reusable-ubuntu.yml |   2 +-
 2 files changed, 35 insertions(+), 98 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 05f20e12f4653d..b068aaf96755e5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -260,8 +260,8 @@ jobs:
       free-threading: ${{ matrix.free-threading }}
       os: ${{ matrix.os }}
 
-  build-ubuntu-ssltests-openssl:
-    name: 'Ubuntu SSL tests with OpenSSL'
+  build-ubuntu-ssltests:
+    name: 'Ubuntu SSL tests'
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     needs: build-context
@@ -269,75 +269,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-24.04]
-        openssl_ver: [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
+        include:
+          - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.0.16 }
+          - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.1.8 }
+          - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.2.4 }
+          - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.3.3 }
+          - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.4.1 }
+          - { os: ubuntu-24.04, ssl: aws-lc,  ssl_ver: 1.55.0 }
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
-      OPENSSL_VER: ${{ matrix.openssl_ver }}
-      MULTISSL_DIR: ${{ github.workspace }}/multissl
-      OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}
-      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - name: Runner image version
-      run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV"
-    - name: Restore config.cache
-      uses: actions/cache@v4
-      with:
-        path: config.cache
-        key: ${{ github.job }}-${{ env.IMAGE_OS_VERSION }}-${{ needs.build-context.outputs.config-hash }}
-    - name: Register gcc problem matcher
-      run: echo "::add-matcher::.github/problem-matchers/gcc.json"
-    - name: Install dependencies
-      run: sudo ./.github/workflows/posix-deps-apt.sh
-    - name: Configure OpenSSL env vars
-      run: |
-        echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
-        echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}" >> "$GITHUB_ENV"
-        echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> "$GITHUB_ENV"
-    - name: 'Restore OpenSSL build'
-      id: cache-openssl
-      uses: actions/cache@v4
-      with:
-        path: ./multissl/openssl/${{ env.OPENSSL_VER }}
-        key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
-    - name: Install OpenSSL
-      if: steps.cache-openssl.outputs.cache-hit != 'true'
-      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux
-    - name: Add ccache to PATH
-      run: |
-        echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
-    - name: Configure ccache action
-      uses: hendrikmuhs/ccache-action@v1.2
-      with:
-        save: false
-    - name: Configure CPython
-      run: ./configure CFLAGS="-fdiagnostics-format=json" --config-cache --enable-slower-safety --with-pydebug --with-openssl="$OPENSSL_DIR"
-    - name: Build CPython
-      run: make -j4
-    - name: Display build info
-      run: make pythoninfo
-    - name: SSL tests
-      run: ./python Lib/test/ssltests.py
-
-  build-ubuntu-ssltests-awslc:
-    name: 'Ubuntu SSL tests with AWS-LC'
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 60
-    needs: build-context
-    if: needs.build-context.outputs.run-tests == 'true'
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-24.04]
-        awslc_ver: [1.55.0]
-    env:
-      AWSLC_VER: ${{ matrix.awslc_ver}}
+      SSL_VER: ${{ matrix.ssl_ver }}
       MULTISSL_DIR: ${{ github.workspace }}/multissl
-      OPENSSL_DIR: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }}
-      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/aws-lc/${{ matrix.awslc_ver }}/lib
+      SSL_DIR: ${{ github.workspace }}/multissl/${{ matrix.ssl }}/${{ matrix.ssl_ver }}
+      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/${{ matrix.ssl }}/${{ matrix.ssl_ver }}/lib
     steps:
     - uses: actions/checkout@v4
       with:
@@ -356,22 +300,18 @@ jobs:
     - name: Configure SSL lib env vars
       run: |
         echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
-        echo "OPENSSL_DIR=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}" >> "$GITHUB_ENV"
-        echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/aws-lc/${AWSLC_VER}/lib" >> "$GITHUB_ENV"
-    - name: 'Restore AWS-LC build'
-      id: cache-aws-lc
+        echo "SSL_DIR=${GITHUB_WORKSPACE}/multissl/${{ matrix.ssl }}/${SSL_VER}" >> "$GITHUB_ENV"
+        echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/${{ matrix.ssl }}/${SSL_VER}/lib" >> "$GITHUB_ENV"
+    - name: 'Restore SSL build'
+      id: cache-ssl
       uses: actions/cache@v4
       with:
-        path: ./multissl/aws-lc/${{ matrix.awslc_ver }}
-        key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }}
-    - name: Install AWS-LC
-      if: steps.cache-aws-lc.outputs.cache-hit != 'true'
+        path: ./multissl/${{ env.SSL }}/${{ env.SSL_VER }}
+        key: ${{ matrix.os }}-multissl-${{ env.SSL }}-${{ env.SSL_VER }}
+    - name: Install SSL
+      if: steps.cache-ssl.outputs.cache-hit != 'true'
       run: |
-        python3 Tools/ssl/multissltests.py \
-          --steps=library \
-          --base-directory "$MULTISSL_DIR" \
-          --awslc ${{ matrix.awslc_ver }} \
-          --system Linux
+        python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --system Linux --ssl ${{ matrix.ssl }} --ssl-versions ${{ matrix.ssl_ver }}
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
@@ -381,18 +321,18 @@ jobs:
         save: false
     - name: Configure CPython
       run: |
-        ./configure CFLAGS="-fdiagnostics-format=json" \
-          --config-cache \
-          --enable-slower-safety \
-          --with-pydebug \
-          --with-openssl="$OPENSSL_DIR" \
-          --with-builtin-hashlib-hashes=blake2 \
-          --with-ssl-default-suites=openssl
+        CMD=(./configure CFLAGS="-fdiagnostics-format=json" --config-cache --enable-slower-safety --with-pydebug --with-openssl="$SSL_DIR")
+        if [ "${{ matrix.ssl }}" = "openssl" ]; then
+          "${CMD[@]}"
+        else
+          "${CMD[@]}" --with-builtin-hashlib-hashes=blake2 --with-ssl-default-suites=openssl
+        fi
     - name: Build CPython
-      run: make -j
+      run: make -j4
     - name: Display build info
       run: make pythoninfo
     - name: Verify python is linked to AWS-LC
+      if: matrix.ssl == 'aws-lc'
       run: ./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' | grep AWS-LC
     - name: SSL tests
       run: ./python Lib/test/ssltests.py
@@ -435,7 +375,7 @@ jobs:
         key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
     - name: Install OpenSSL
       if: steps.cache-openssl.outputs.cache-hit != 'true'
-      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux
+      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --ssl 'openssl' --ssl-versions "$OPENSSL_VER" --system Linux
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
@@ -567,7 +507,7 @@ jobs:
         key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
     - name: Install OpenSSL
       if: steps.cache-openssl.outputs.cache-hit != 'true'
-      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux
+      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --ssl 'openssl' --ssl-versions "$OPENSSL_VER" --system Linux
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
@@ -703,8 +643,7 @@ jobs:
     - build-windows-msi
     - build-macos
     - build-ubuntu
-    - build-ubuntu-ssltests-awslc
-    - build-ubuntu-ssltests-openssl
+    - build-ubuntu-ssltests
     - build-wasi
     - test-hypothesis
     - build-asan
@@ -719,8 +658,7 @@ jobs:
       with:
         allowed-failures: >-
           build-windows-msi,
-          build-ubuntu-ssltests-awslc,
-          build-ubuntu-ssltests-openssl,
+          build-ubuntu-ssltests,
           test-hypothesis,
           cifuzz,
         allowed-skips: >-
@@ -738,8 +676,7 @@ jobs:
             check-generated-files,
             build-macos,
             build-ubuntu,
-            build-ubuntu-ssltests-awslc,
-            build-ubuntu-ssltests-openssl,
+            build-ubuntu-ssltests,
             build-wasi,
             test-hypothesis,
             build-asan,
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index 76b19fd5d1a72e..607e7949161812 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -60,7 +60,7 @@ jobs:
         key: ${{ inputs.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
     - name: Install OpenSSL
       if: steps.cache-openssl.outputs.cache-hit != 'true'
-      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux
+      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --ssl openssl --ssl-versions "$OPENSSL_VER" --system Linux
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"

From 3fcbe0d66363d53223d74d7542cbb6d3f3059959 Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 14 Jul 2025 21:21:29 +0000
Subject: [PATCH 02/17] Preliminary refactor of multissltests.py, TODO migrate
 to classes

---
 Tools/ssl/multissltests.py | 74 ++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 40 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index f4c8fde8346fd9..969d5cc4b91e5d 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -86,33 +86,19 @@
 parser.add_argument(
     '--disable-ancient',
     action='store_true',
-    help="Don't test OpenSSL and LibreSSL versions without upstream support",
+    help="Don't test SSL versions without upstream support",
 )
 parser.add_argument(
-    '--openssl',
-    nargs='+',
-    default=(),
-    help=(
-        "OpenSSL versions, defaults to '{}' (ancient: '{}') if no "
-        "OpenSSL and LibreSSL versions are given."
-    ).format(OPENSSL_RECENT_VERSIONS, OPENSSL_OLD_VERSIONS)
-)
-parser.add_argument(
-    '--libressl',
-    nargs='+',
-    default=(),
-    help=(
-        "LibreSSL versions, defaults to '{}' (ancient: '{}') if no "
-        "OpenSSL and LibreSSL versions are given."
-    ).format(LIBRESSL_RECENT_VERSIONS, LIBRESSL_OLD_VERSIONS)
+    '--ssl',
+    choices=['openssl', 'awslc', 'libressl'],
+    default=None,
+    help="Which SSL lib to test. If not specified, all are tested.",
 )
 parser.add_argument(
-    '--awslc',
+    '--ssl-versions',
     nargs='+',
-    default=(),
-    help=(
-        "AWS-LC versions, defaults to '{}' if no crypto library versions are given."
-    ).format(AWSLC_RECENT_VERSIONS)
+    default=None,
+    help="SSL lib version(s), default depends on value passed to --ssl",
 )
 parser.add_argument(
     '--tests',
@@ -507,19 +493,6 @@ def configure_make():
 
 def main():
     args = parser.parse_args()
-    if not args.openssl and not args.libressl and not args.awslc:
-        args.openssl = list(OPENSSL_RECENT_VERSIONS)
-        args.libressl = list(LIBRESSL_RECENT_VERSIONS)
-        args.awslc = list(AWSLC_RECENT_VERSIONS)
-        if not args.disable_ancient:
-            args.openssl.extend(OPENSSL_OLD_VERSIONS)
-            args.libressl.extend(LIBRESSL_OLD_VERSIONS)
-
-    logging.basicConfig(
-        level=logging.DEBUG if args.debug else logging.INFO,
-        format="*** %(levelname)s %(message)s"
-    )
-
     start = datetime.now()
 
     if args.steps in {'modules', 'tests'}:
@@ -535,13 +508,34 @@ def main():
         # check for configure and run make
         configure_make()
 
+    logging.basicConfig(
+        level=logging.DEBUG if args.debug else logging.INFO,
+        format="*** %(levelname)s %(message)s"
+    )
+
+    ssl_libs = {
+        "openssl": [
+            BuildOpenSSL, OPENSSL_OLD_VERSIONS, OPENSSL_RECENT_VERSIONS, []
+        ],
+        "libressl": [
+            BuildLibreSSL, LIBRESSL_OLD_VERSIONS, LIBRESSL_RECENT_VERSIONS, []
+        ],
+        "awslc": [BuildAWSLC, [], AWSLC_RECENT_VERSIONS, []],
+    }
+    if args.ssl and args.ssl_versions:
+        ssl_libs[args.ssl][3] += args.ssl_versions
+    elif args.ssl:
+        ssl_libs[args.ssl][3] += ssl_libs[args.ssl][2]
+    else:
+        ssl_libs["openssl"][3] += ssl_libs["openssl"][2]
+        ssl_libs["libressl"][3] += ssl_libs["libressl"][2]
+        ssl_libs["awslc"][3] += ssl_libs["awslc"][2]
+        if not args.disable_ancient:
+            ssl_libs["openssl"][3] += ssl_libs["openssl"][1]
+            ssl_libs["libressl"][3] += ssl_libs["libressl"][1]
     # download and register builder
     builds = []
-    for build_class, versions in [
-        (BuildOpenSSL, args.openssl),
-        (BuildLibreSSL, args.libressl),
-        (BuildAWSLC, args.awslc),
-    ]:
+    for build_class, _, _, versions in ssl_libs.values():
         for version in versions:
             build = build_class(version, args)
             build.install()

From 5d8ec9aaea218a1e1f298e9065c9ba63cd9e05d9 Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 14 Jul 2025 21:27:53 +0000
Subject: [PATCH 03/17] Fix aws-lc/awslc lib name discrepancy

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b068aaf96755e5..665befea8787c7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -275,7 +275,7 @@ jobs:
           - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.2.4 }
           - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.3.3 }
           - { os: ubuntu-24.04, ssl: openssl, ssl_ver: 3.4.1 }
-          - { os: ubuntu-24.04, ssl: aws-lc,  ssl_ver: 1.55.0 }
+          - { os: ubuntu-24.04, ssl: awslc,  ssl_ver: 1.55.0 }
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
       SSL_VER: ${{ matrix.ssl_ver }}

From 991c6b28096b4bfbb6634dcd07d725c7d9141f0d Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 14 Jul 2025 21:45:13 +0000
Subject: [PATCH 04/17] Migrate AbstractBuilder to abc

---
 Tools/ssl/multissltests.py | 104 +++++++++++++++++++++++++++----------
 1 file changed, 78 insertions(+), 26 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 969d5cc4b91e5d..916d1fd989ba92 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -24,6 +24,7 @@
 """
 from __future__ import print_function
 
+import abc
 import argparse
 from datetime import datetime
 import logging
@@ -146,11 +147,7 @@
 )
 
 
-class AbstractBuilder(object):
-    library = None
-    url_templates = None
-    src_template = None
-    build_template = None
+class AbstractBuilder(object, metaclass=abc.ABCMeta):
     depend_target = None
     install_target = 'install'
     if hasattr(os, 'process_cpu_count'):
@@ -158,6 +155,26 @@ class AbstractBuilder(object):
     else:
         jobs = os.cpu_count()
 
+    @property
+    @abstractmethod
+    def library(self):
+        pass
+
+    @property
+    @abstractmethod
+    def url_templates(self):
+        pass
+
+    @property
+    @abstractmethod
+    def src_template(self):
+        pass
+
+    @property
+    @abstractmethod
+    def build_template(self):
+        pass
+
     module_files = (
         os.path.join(PYTHONROOT, "Modules/_ssl.c"),
         os.path.join(PYTHONROOT, "Modules/_hashopenssl.c"),
@@ -167,9 +184,10 @@ class AbstractBuilder(object):
     def __init__(self, version, args):
         self.version = version
         self.args = args
+        libdir = self.library.lower().replace("-", "")
         # installation directory
         self.install_dir = os.path.join(
-            os.path.join(args.base_directory, self.library.lower()), version
+            os.path.join(args.base_directory, libdir), version
         )
         # source file
         self.src_dir = os.path.join(args.base_directory, 'src')
@@ -396,18 +414,30 @@ def run_python_tests(self, tests, network=True):
 
 
 class BuildOpenSSL(AbstractBuilder):
-    library = "OpenSSL"
-    url_templates = (
-        "https://github.com/openssl/openssl/releases/download/openssl-{v}/openssl-{v}.tar.gz",
-        "https://www.openssl.org/source/openssl-{v}.tar.gz",
-        "https://www.openssl.org/source/old/{s}/openssl-{v}.tar.gz"
-    )
-    src_template = "openssl-{}.tar.gz"
-    build_template = "openssl-{}"
     # only install software, skip docs
     install_target = 'install_sw'
     depend_target = 'depend'
 
+    @property
+    def library(self):
+        return "OpenSSL"
+
+    @property
+    def url_templates(self):
+        return (
+            "https://github.com/openssl/openssl/releases/download/openssl-{v}/openssl-{v}.tar.gz",
+            "https://www.openssl.org/source/openssl-{v}.tar.gz",
+            "https://www.openssl.org/source/old/{s}/openssl-{v}.tar.gz",
+        )
+
+    @property
+    def src_template(self):
+        return "openssl-{}.tar.gz"
+
+    @property
+    def build_template(self):
+        return "openssl-{}"
+
     def _post_install(self):
         if self.version.startswith("3."):
             self._post_install_3xx()
@@ -443,21 +473,43 @@ def short_version(self):
 
 
 class BuildLibreSSL(AbstractBuilder):
-    library = "LibreSSL"
-    url_templates = (
-        "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-{v}.tar.gz",
-    )
-    src_template = "libressl-{}.tar.gz"
-    build_template = "libressl-{}"
+    @property
+    def library(self):
+        return "LibreSSL"
+
+    @property
+    def url_templates(self):
+        return (
+            "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-{v}.tar.gz",
+        )
+
+    @property
+    def src_template(self):
+        return "libressl-{}.tar.gz"
+
+    @property
+    def build_template(self):
+        "libressl-{}"
 
 
 class BuildAWSLC(AbstractBuilder):
-    library = "AWS-LC"
-    url_templates = (
-        "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz",
-    )
-    src_template = "aws-lc-{}.tar.gz"
-    build_template = "aws-lc-{}"
+    @property
+    def library(self):
+        return "AWS-LC"
+
+    @property
+    def url_templates(self):
+        return (
+            "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz",
+        )
+
+    @property
+    def src_template(self):
+        return "aws-lc-{}.tar.gz"
+
+    @property
+    def build_template(self):
+        return "aws-lc-{}"
 
     def _build_src(self, config_args=()):
         cwd = self.build_dir

From 7b5149941e3a43cd041d9f3a8a9d73c2bbad600b Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 14 Jul 2025 21:53:45 +0000
Subject: [PATCH 05/17] Fix imports

---
 Tools/ssl/multissltests.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 916d1fd989ba92..4a20d41a529189 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -24,7 +24,8 @@
 """
 from __future__ import print_function
 
-import abc
+from abc import abstractmethod
+from abc import ABCMeta
 import argparse
 from datetime import datetime
 import logging
@@ -147,7 +148,7 @@
 )
 
 
-class AbstractBuilder(object, metaclass=abc.ABCMeta):
+class AbstractBuilder(object, metaclass=ABCMeta):
     depend_target = None
     install_target = 'install'
     if hasattr(os, 'process_cpu_count'):

From 66381275b0896a153fc50fbd5f35fa3b0ba48d1e Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Wed, 16 Jul 2025 19:36:43 +0000
Subject: [PATCH 06/17] Complete ABC refactor

---
 Tools/ssl/multissltests.py | 146 +++++++++++++++++++------------------
 1 file changed, 77 insertions(+), 69 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 4a20d41a529189..69305c638b5acb 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -44,29 +44,6 @@
 
 log = logging.getLogger("multissl")
 
-OPENSSL_OLD_VERSIONS = [
-    "1.1.1w",
-]
-
-OPENSSL_RECENT_VERSIONS = [
-    "3.0.16",
-    "3.1.8",
-    "3.2.4",
-    "3.3.3",
-    "3.4.1",
-    # See make_ssl_data.py for notes on adding a new version.
-]
-
-LIBRESSL_OLD_VERSIONS = [
-]
-
-LIBRESSL_RECENT_VERSIONS = [
-]
-
-AWSLC_RECENT_VERSIONS = [
-    "1.55.0",
-]
-
 # store files in ../multissl
 HERE = os.path.dirname(os.path.abspath(__file__))
 PYTHONROOT = os.path.abspath(os.path.join(HERE, '..', '..'))
@@ -155,32 +132,40 @@ class AbstractBuilder(object, metaclass=ABCMeta):
         jobs = os.process_cpu_count()
     else:
         jobs = os.cpu_count()
+    module_files = (
+        os.path.join(PYTHONROOT, "Modules/_ssl.c"),
+        os.path.join(PYTHONROOT, "Modules/_hashopenssl.c"),
+    )
+    module_libs = ("_ssl", "_hashlib")
 
     @property
     @abstractmethod
-    def library(self):
+    def library(self=None):
         pass
 
     @property
     @abstractmethod
-    def url_templates(self):
+    def url_templates(self=None):
         pass
 
     @property
     @abstractmethod
-    def src_template(self):
+    def src_template(self=None):
         pass
 
     @property
     @abstractmethod
-    def build_template(self):
+    def build_template(self=None):
         pass
 
-    module_files = (
-        os.path.join(PYTHONROOT, "Modules/_ssl.c"),
-        os.path.join(PYTHONROOT, "Modules/_hashopenssl.c"),
-    )
-    module_libs = ("_ssl", "_hashlib")
+    @property
+    @abstractmethod
+    def recent_versions():
+        pass
+
+    @property
+    def old_versions():
+        return []
 
     def __init__(self, version, args):
         self.version = version
@@ -420,11 +405,11 @@ class BuildOpenSSL(AbstractBuilder):
     depend_target = 'depend'
 
     @property
-    def library(self):
+    def library(self=None):
         return "OpenSSL"
 
     @property
-    def url_templates(self):
+    def url_templates(self=None):
         return (
             "https://github.com/openssl/openssl/releases/download/openssl-{v}/openssl-{v}.tar.gz",
             "https://www.openssl.org/source/openssl-{v}.tar.gz",
@@ -432,13 +417,28 @@ def url_templates(self):
         )
 
     @property
-    def src_template(self):
+    def src_template(self=None):
         return "openssl-{}.tar.gz"
 
     @property
-    def build_template(self):
+    def build_template(self=None):
         return "openssl-{}"
 
+    @property
+    def recent_versions():
+        return [
+            "3.0.16",
+            "3.1.8",
+            "3.2.4",
+            "3.3.3",
+            "3.4.1",
+            # See make_ssl_data.py for notes on adding a new version.
+        ]
+
+    @property
+    def old_versions():
+        return [ "1.1.1w" ]
+
     def _post_install(self):
         if self.version.startswith("3."):
             self._post_install_3xx()
@@ -475,43 +475,53 @@ def short_version(self):
 
 class BuildLibreSSL(AbstractBuilder):
     @property
-    def library(self):
+    def library(self=None):
         return "LibreSSL"
 
     @property
-    def url_templates(self):
+    def url_templates(self=None):
         return (
             "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-{v}.tar.gz",
         )
 
     @property
-    def src_template(self):
+    def src_template(self=None):
         return "libressl-{}.tar.gz"
 
     @property
-    def build_template(self):
+    def build_template(self=None):
         "libressl-{}"
 
+    @property
+    def recent_versions():
+        return []
+
 
 class BuildAWSLC(AbstractBuilder):
     @property
-    def library(self):
+    def library(self=None):
         return "AWS-LC"
 
     @property
-    def url_templates(self):
+    def url_templates(self=None):
         return (
             "https://github.com/aws/aws-lc/archive/refs/tags/v{v}.tar.gz",
         )
 
     @property
-    def src_template(self):
+    def src_template(self=None):
         return "aws-lc-{}.tar.gz"
 
     @property
-    def build_template(self):
+    def build_template(self=None):
         return "aws-lc-{}"
 
+    @property
+    def recent_versions():
+        return [
+            "1.55.0",
+        ]
+
     def _build_src(self, config_args=()):
         cwd = self.build_dir
         log.info("Running build in {}".format(cwd))
@@ -566,33 +576,31 @@ def main():
         format="*** %(levelname)s %(message)s"
     )
 
-    ssl_libs = {
-        "openssl": [
-            BuildOpenSSL, OPENSSL_OLD_VERSIONS, OPENSSL_RECENT_VERSIONS, []
-        ],
-        "libressl": [
-            BuildLibreSSL, LIBRESSL_OLD_VERSIONS, LIBRESSL_RECENT_VERSIONS, []
-        ],
-        "awslc": [BuildAWSLC, [], AWSLC_RECENT_VERSIONS, []],
-    }
-    if args.ssl and args.ssl_versions:
-        ssl_libs[args.ssl][3] += args.ssl_versions
-    elif args.ssl:
-        ssl_libs[args.ssl][3] += ssl_libs[args.ssl][2]
+    versions = []
+    ssl_libs = AbstractBuilder.__subclasses__()
+    if args.ssl:
+        lib_name = lambda x: x.library.fget().lower().replace("-", "")
+        libs = [l for l in ssl_libs if lib_name(l) == args.ssl]
+        assert len(libs) == 1
+        cls = libs.pop()
+        if args.ssl_versions:
+            versions += [(cls, v) for v in args.ssl_versions]
+        else:
+            versions += [(cls, v) for v in cls.recent_versions.fget()]
     else:
-        ssl_libs["openssl"][3] += ssl_libs["openssl"][2]
-        ssl_libs["libressl"][3] += ssl_libs["libressl"][2]
-        ssl_libs["awslc"][3] += ssl_libs["awslc"][2]
-        if not args.disable_ancient:
-            ssl_libs["openssl"][3] += ssl_libs["openssl"][1]
-            ssl_libs["libressl"][3] += ssl_libs["libressl"][1]
-    # download and register builder
+        if args.ssl_versions:
+            print("ERROR: SSL versions specified without specifying library")
+            exit(1)
+        for cls in ssl_libs:
+            versions += [(cls, v) for v in cls.recent_versions.fget()]
+            if not args.disable_ancient:
+                versions += [(cls, v) for v in cls.old_versions.fget()]
+
     builds = []
-    for build_class, _, _, versions in ssl_libs.values():
-        for version in versions:
-            build = build_class(version, args)
-            build.install()
-            builds.append(build)
+    for build_class, version in versions:
+        build = build_class(version, args)
+        build.install()
+        builds.append(build)
 
     if args.steps in {'modules', 'tests'}:
         for build in builds:

From 4e0a8caa51ac461604b7a6e7b7d082db02a790d3 Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Wed, 16 Jul 2025 19:52:47 +0000
Subject: [PATCH 07/17] Colorize parser

---
 Tools/ssl/multissltests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 69305c638b5acb..3fa1776d734e0f 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -57,6 +57,7 @@
         "versions."
     ),
 )
+parser.color = True
 parser.add_argument(
     '--debug',
     action='store_true',

From 1a90e0c3414f9c77607658e5a9c5450ea3de05d9 Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Wed, 16 Jul 2025 19:54:46 +0000
Subject: [PATCH 08/17] Adjust compatibility comment

---
 Tools/ssl/multissltests.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 3fa1776d734e0f..88e2f0c7c78ad8 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -18,7 +18,8 @@
 search paths for header files and shared libraries. It's known to work on
 Linux with GCC and clang.
 
-Please keep this script compatible with Python 2.7, and 3.4 to 3.7.
+Please keep this script compatible with all currently-maintained Python
+versions.
 
 (c) 2013-2017 Christian Heimes <christian@python.org>
 """

From 1fcb49f9d440dd2d8cff58a4902a57e747f3fbea Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com>
Date: Wed, 16 Jul 2025 20:08:58 +0000
Subject: [PATCH 09/17] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?=
 =?UTF-8?q?lurb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst    | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst

diff --git a/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst b/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst
new file mode 100644
index 00000000000000..2cee0f7c034a06
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst
@@ -0,0 +1 @@
+Refactor multissltests.py and build.yml to better support testing additional cryptography libraries in the future.

From dd969fbaf1a84aa0a97c2024ec43c837c3d9a9ef Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Wed, 16 Jul 2025 20:10:08 +0000
Subject: [PATCH 10/17] =?UTF-8?q?Revert=20"=F0=9F=93=9C=F0=9F=A4=96=20Adde?=
 =?UTF-8?q?d=20by=20blurb=5Fit."?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 1fcb49f9d440dd2d8cff58a4902a57e747f3fbea.
---
 .../next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst    | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst

diff --git a/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst b/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst
deleted file mode 100644
index 2cee0f7c034a06..00000000000000
--- a/Misc/NEWS.d/next/Tests/2025-07-16-20-08-54.gh-issue-136728.RG4zP1.rst
+++ /dev/null
@@ -1 +0,0 @@
-Refactor multissltests.py and build.yml to better support testing additional cryptography libraries in the future.

From 3343120065d82d492326063e59ef2df381f808f3 Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Wed, 16 Jul 2025 20:12:33 +0000
Subject: [PATCH 11/17] Include old versions when using default versions

---
 Tools/ssl/multissltests.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 88e2f0c7c78ad8..2c8264dd09076b 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -589,6 +589,8 @@ def main():
             versions += [(cls, v) for v in args.ssl_versions]
         else:
             versions += [(cls, v) for v in cls.recent_versions.fget()]
+            if not args.disable_ancient:
+                versions += [(cls, v) for v in cls.old_versions.fget()]
     else:
         if args.ssl_versions:
             print("ERROR: SSL versions specified without specifying library")

From 0560203a9081c638d2b14045b50cec421644a02d Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 16 Jan 2026 23:20:17 +0200
Subject: [PATCH 12/17] Apply suggestions from code review

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
---
 Tools/ssl/multissltests.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 778fc873929e40..a312ebc90db0aa 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -25,8 +25,7 @@
 """
 from __future__ import print_function
 
-from abc import abstractmethod
-from abc import ABCMeta
+from abc import ABCMeta, abstractmethod
 import argparse
 from datetime import datetime
 import logging
@@ -57,7 +56,6 @@
         "Run CPython tests with multiple cryptography libraries/versions."
     ),
 )
-parser.color = True
 parser.add_argument(
     '--debug',
     action='store_true',
@@ -70,7 +68,7 @@
 )
 parser.add_argument(
     '--ssl',
-    choices=['openssl', 'awslc', 'libressl'],
+    choices=('openssl', 'awslc', 'libressl'),
     default=None,
     help="Which SSL lib to test. If not specified, all are tested.",
 )
@@ -78,7 +76,7 @@
     '--ssl-versions',
     nargs='+',
     default=None,
-    help="SSL lib version(s), default depends on value passed to --ssl",
+    help="SSL lib versions, default depends on libs passed to --ssl",
 )
 parser.add_argument(
     '--tests',

From 08be1f27785da50efeac6364983cce31889f9180 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 16 Jan 2026 23:28:38 +0200
Subject: [PATCH 13/17] Bump GitHub Actions

---
 .github/workflows/add-issue-header.yml        |  2 +-
 .github/workflows/build.yml                   | 32 +++++++++----------
 .github/workflows/jit.yml                     | 18 +++++------
 .github/workflows/lint.yml                    |  2 +-
 .github/workflows/mypy.yml                    |  4 +--
 .../workflows/new-bugs-announce-notifier.yml  |  4 +--
 .github/workflows/reusable-context.yml        |  4 +--
 .github/workflows/reusable-docs.yml           | 12 +++----
 .github/workflows/reusable-macos.yml          |  2 +-
 .github/workflows/reusable-san.yml            |  4 +--
 .github/workflows/reusable-ubuntu.yml         |  4 +--
 .github/workflows/reusable-wasi.yml           |  6 ++--
 .github/workflows/reusable-windows-msi.yml    |  2 +-
 .github/workflows/reusable-windows.yml        |  2 +-
 .github/workflows/tail-call.yml               |  4 +--
 .github/workflows/verify-ensurepip-wheels.yml |  4 +--
 16 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
index 3cbc23af578d10..c404bc519300e2 100644
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -20,7 +20,7 @@ jobs:
       issues: write
     timeout-minutes: 5
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         with:
           # language=JavaScript
           script: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 80267a4dc8ba70..beed92e60cbd33 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -64,7 +64,7 @@ jobs:
         run: |
           apt update && apt install git -yq
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -101,10 +101,10 @@ jobs:
     needs: build-context
     if: needs.build-context.outputs.run-tests == 'true'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.x'
       - name: Runner image version
@@ -270,7 +270,7 @@ jobs:
       SSL_DIR: ${{ github.workspace }}/multissl/${{ matrix.ssl }}/${{ matrix.ssl_ver }}
       LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/${{ matrix.ssl }}/${{ matrix.ssl_ver }}/lib
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Runner image version
@@ -286,7 +286,7 @@ jobs:
         echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/${{ matrix.ssl }}/${SSL_VER}/lib" >> "$GITHUB_ENV"
     - name: 'Restore SSL build'
       id: cache-ssl
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./multissl/${{ env.SSL }}/${{ env.SSL_VER }}
         key: ${{ env.IMAGE_OS_VERSION }}-multissl-${{ env.SSL }}-${{ env.SSL_VER }}
@@ -331,7 +331,7 @@ jobs:
 
     runs-on: ${{ matrix.runs-on }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Build and test
@@ -344,7 +344,7 @@ jobs:
     timeout-minutes: 60
     runs-on: macos-14
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -376,7 +376,7 @@ jobs:
       OPENSSL_VER: 3.0.18
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Register gcc problem matcher
@@ -390,7 +390,7 @@ jobs:
         echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> "$GITHUB_ENV"
     - name: 'Restore OpenSSL build'
       id: cache-openssl
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./multissl/openssl/${{ env.OPENSSL_VER }}
         key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -440,7 +440,7 @@ jobs:
         ./python -m venv "$VENV_LOC" && "$VENV_PYTHON" -m pip install -r "${GITHUB_WORKSPACE}/Tools/requirements-hypothesis.txt"
     - name: 'Restore Hypothesis database'
       id: cache-hypothesis-database
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ${{ env.CPYTHON_BUILDDIR }}/.hypothesis/
         key: hypothesis-database-${{ github.head_ref || github.run_id }}
@@ -467,7 +467,7 @@ jobs:
           -x test_subprocess \
           -x test_signal \
           -x test_sysconfig
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       if: always()
       with:
         name: hypothesis-example-db
@@ -488,7 +488,7 @@ jobs:
       PYTHONSTRICTEXTENSIONBUILD: 1
       ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Runner image version
@@ -498,7 +498,7 @@ jobs:
     - name: Install dependencies
       run: sudo ./.github/workflows/posix-deps-apt.sh
     - name: Set up GCC-10 for ASAN
-      uses: egor-tensin/setup-gcc@v1
+      uses: egor-tensin/setup-gcc@v2
       with:
         version: 10
     - name: Configure OpenSSL env vars
@@ -508,7 +508,7 @@ jobs:
         echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> "$GITHUB_ENV"
     - name: 'Restore OpenSSL build'
       id: cache-openssl
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./multissl/openssl/${{ env.OPENSSL_VER }}
         key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -558,7 +558,7 @@ jobs:
     needs: build-context
     if: needs.build-context.outputs.run-ubuntu == 'true'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Runner image version
@@ -615,7 +615,7 @@ jobs:
           sanitizer: ${{ matrix.sanitizer }}
       - name: Upload crash
         if: failure() && steps.build.outcome == 'success'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.sanitizer }}-artifacts
           path: ./out/artifacts
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 62325250bd368e..a6bade2c044f80 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 90
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Build tier two interpreter
@@ -92,10 +92,10 @@ jobs:
             architecture: aarch64
             runner: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -140,10 +140,10 @@ jobs:
         llvm:
           - 21
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
       - name: Build with JIT enabled and GIL disabled
@@ -168,10 +168,10 @@ jobs:
         llvm:
           - 21
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
       - name: Build with JIT
@@ -195,10 +195,10 @@ jobs:
         llvm:
           - 21
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
       - name: Build with JIT and tailcall
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 12fad966845dea..0ded53b00da0ef 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,7 +19,7 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - uses: j178/prek-action@v1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 8810730e193bb6..db363bef7a45ae 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -65,10 +65,10 @@ jobs:
           "Tools/peg_generator",
         ]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.13"
           cache: pip
diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index 9f1a8a824e5f19..b25750f0897de2 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -13,12 +13,12 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 20
       - run: npm install mailgun.js form-data
       - name: Send notification
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           MAILGUN_API_KEY: ${{ secrets.MAILGUN_PYTHON_ORG_MAILGUN_KEY }}
         with:
diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index ce5562f2d51fbb..aa2ee275a57fa9 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -66,14 +66,14 @@ jobs:
       run-windows-tests: ${{ steps.changes.outputs.run-windows-tests }}
     steps:
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: "3"
 
     - run: >-
         echo '${{ github.event_name }}'
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
         ref: >-
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index 65154aae4c41d5..fc68c040fca059 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -27,7 +27,7 @@ jobs:
       refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}'
     steps:
     - name: 'Check out latest PR branch commit'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         persist-credentials: false
         ref: >-
@@ -52,7 +52,7 @@ jobs:
         git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
           --no-tags --prune --no-recurse-submodules
     - name: 'Set up Python'
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3'
         cache: 'pip'
@@ -82,10 +82,10 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       with:
         path: ~/.cache/pip
         key: ubuntu-doc-${{ hashFiles('Doc/requirements.txt') }}
@@ -108,11 +108,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: 'Set up Python'
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3'
         cache: 'pip'
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index 98d557ba1eab84..7eef66bd9d9324 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -28,7 +28,7 @@ jobs:
       PYTHONSTRICTEXTENSIONBUILD: 1
       TERM: linux
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Runner image version
diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index c601d0b73380d4..49876cf49260d9 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Runner image version
@@ -99,7 +99,7 @@ jobs:
       run: find "${GITHUB_WORKSPACE}" -name 'san_log.*' | xargs head -n 1000
     - name: Archive logs
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: >-
           ${{ inputs.sanitizer }}-logs-${{
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index 02ba5dea268e8a..16d5f08fcacd43 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -31,7 +31,7 @@ jobs:
       PYTHONSTRICTEXTENSIONBUILD: 1
       TERM: linux
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Register gcc problem matcher
@@ -51,7 +51,7 @@ jobs:
         echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> "$GITHUB_ENV"
     - name: 'Restore OpenSSL build'
       id: cache-openssl
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./multissl/openssl/${{ env.OPENSSL_VER }}
         key: ${{ inputs.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index 91d76fd1b5f8c5..4b03712eb1ee08 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -18,7 +18,7 @@ jobs:
       CROSS_BUILD_PYTHON: cross-build/build
       CROSS_BUILD_WASI: cross-build/wasm32-wasip1
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     # No problem resolver registered as one doesn't currently exist for Clang.
@@ -28,7 +28,7 @@ jobs:
         version: ${{ env.WASMTIME_VERSION }}
     - name: "Restore WASI SDK"
       id: cache-wasi-sdk
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ${{ env.WASI_SDK_PATH }}
         key: ${{ runner.os }}-wasi-sdk-${{ env.WASI_SDK_VERSION }}
@@ -41,7 +41,7 @@ jobs:
     - name: "Add ccache to PATH"
       run: echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
     - name: "Install Python"
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3.x'
     - name: "Runner image version"
diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
index c95e40a38095f9..c7611804369600 100644
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -23,7 +23,7 @@ jobs:
       ARCH: ${{ inputs.arch }}
       IncludeFreethreaded: true
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Build CPython installer
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index 0648b770753255..82ea819867ef6d 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -26,7 +26,7 @@ jobs:
     env:
       ARCH: ${{ inputs.arch }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         persist-credentials: false
     - name: Register MSVC problem matcher
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index 1bc1bf20de0e06..335e1a93dce4ea 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -72,10 +72,10 @@ jobs:
             architecture: x86_64
             runner: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index 463e7bf3355cc3..135979078710cc 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -25,10 +25,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3'
       - name: Compare checksum of bundled wheels to the ones published on PyPI

From 31325c5dfcbaf5b09798535c63080bc0899a606e Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 16 Jan 2026 23:58:26 +0200
Subject: [PATCH 14/17] Retain multiline

---
 .github/workflows/build.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8cfdb101bc3e2c..ce69b2eb1215c2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -298,7 +298,12 @@ jobs:
     - name: Install SSL
       if: steps.cache-ssl.outputs.cache-hit != 'true'
       run: |
-        python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --system Linux --ssl ${{ matrix.ssl }} --ssl-versions ${{ matrix.ssl_ver }}
+        python3 Tools/ssl/multissltests.py \
+          --steps=library \
+          --base-directory "$MULTISSL_DIR" \
+          --ssl ${{ matrix.ssl }} \
+          --ssl-versions ${{ matrix.ssl_ver }} \
+          --system Linux
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"

From 94a826d26262e0c962e299b2a44849391cefdd4e Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 17 Jan 2026 00:04:09 +0200
Subject: [PATCH 15/17] Use extend instead of += [...]

---
 Tools/ssl/multissltests.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index a312ebc90db0aa..c9fe242dcdd232 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -586,19 +586,19 @@ def main():
         assert len(libs) == 1
         cls = libs.pop()
         if args.ssl_versions:
-            versions += [(cls, v) for v in args.ssl_versions]
+            versions.extend((cls, v) for v in args.ssl_versions])
         else:
-            versions += [(cls, v) for v in cls.recent_versions.fget()]
+            versions.extend([(cls, v) for v in cls.recent_versions.fget()])
             if not args.disable_ancient:
-                versions += [(cls, v) for v in cls.old_versions.fget()]
+                versions.extend([(cls, v) for v in cls.old_versions.fget()])
     else:
         if args.ssl_versions:
             print("ERROR: SSL versions specified without specifying library")
             exit(1)
         for cls in ssl_libs:
-            versions += [(cls, v) for v in cls.recent_versions.fget()]
+            versions.extend([(cls, v) for v in cls.recent_versions.fget()])
             if not args.disable_ancient:
-                versions += [(cls, v) for v in cls.old_versions.fget()]
+                versions.extend([(cls, v) for v in cls.old_versions.fget()])
 
     builds = []
     for build_class, version in versions:

From 9113833ebbad3e2faa76857aa17d789295b54e16 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 17 Jan 2026 00:09:46 +0200
Subject: [PATCH 16/17] Remove 3.3 block, use long options

---
 Tools/ssl/multissltests.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index c9fe242dcdd232..e4fea0e7e37c63 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -387,13 +387,11 @@ def run_python_tests(self, tests, network=True):
                 os.path.join(PYTHONROOT, 'Lib/test/ssltests.py'),
                 '-j0'
             ]
-        elif sys.version_info < (3, 3):
-            cmd = [sys.executable, '-m', 'test.regrtest']
         else:
             cmd = [sys.executable, '-m', 'test', '-j0']
         if network:
-            cmd.extend(['-u', 'network', '-u', 'urlfetch'])
-        cmd.extend(['-w', '-r'])
+            cmd.extend(['--use', 'network', '--use', 'urlfetch'])
+        cmd.extend(['--rerun', '--randomize'])
         cmd.extend(tests)
         self._subprocess_call(cmd, stdout=None)
 

From 942434a70df318c9e7cafe17c1ccade2e1929042 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 17 Jan 2026 13:56:10 +0200
Subject: [PATCH 17/17] Apply suggestions from code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
---
 .github/workflows/build.yml | 1 -
 Tools/ssl/multissltests.py  | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ce69b2eb1215c2..e3dd59e2100c03 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -699,7 +699,6 @@ jobs:
             && '
             build-ubuntu,
             build-ubuntu-ssltests,
-            build-wasi,
             test-hypothesis,
             build-asan,
             build-san,
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index e4fea0e7e37c63..93ca98c1c87009 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -584,9 +584,9 @@ def main():
         assert len(libs) == 1
         cls = libs.pop()
         if args.ssl_versions:
-            versions.extend((cls, v) for v in args.ssl_versions])
+            versions.extend((cls, v) for v in args.ssl_versions)
         else:
-            versions.extend([(cls, v) for v in cls.recent_versions.fget()])
+            versions.extend((cls, v) for v in cls.recent_versions.fget())
             if not args.disable_ancient:
                 versions.extend([(cls, v) for v in cls.old_versions.fget()])
     else: