yfedoseev · yfedoseev · May 23, 2026 · May 23, 2026
@@ -0,0 +1,72 @@
+# Composite action: reclaim disk on hosted Ubuntu runners for build-heavy
+# CI jobs (cargo, cargo-llvm-cov, maturin, wasm-bindgen, JNI, etc.).
+#
+# Why this exists
+# ---------------
+# Every workflow that does a Rust release-mode build on `ubuntu-latest`
+# eventually trips "No space left on device" — the runner starts with
+# ~14 GB free on `/`, and a default-features cargo build of pdf_oxide
+# (+ rendering + signatures + OCR-enabled prebuilts) eats >20 GB of
+# target/ artifacts. cargo-llvm-cov's instrumented build is ~3× larger
+# than the normal release build and needs the most headroom.
+#
+# Previously each job copy-pasted its own `jlumbroso/free-disk-space@main`
+# block. That drifted: the v0.3.53 Code Coverage job did not override
+# `swap-storage`, so the action's default of `swap-storage: true` removed
+# the runner's 4 GB swapfile, the linker OOM-killed mid-build, and the
+# job died with a bare "failure" status and no completed step. Every
+# other callsite explicitly set `swap-storage: false` with a comment
+# warning about exactly this failure mode.
+#
+# This composite action is the single source of truth, locks in the
+# swap-storage lesson, and adds `df -h` diagnostics before/after so the
+# next disk-pressure regression is visible in the run log instead of
+# manifesting as a silent OOM.
+
+name: 'Free disk space (Ubuntu)'
+description: 'Reclaim ~25-30 GB on hosted Ubuntu runners for build-heavy Rust/JNI/WASM CI jobs.'
+
+inputs:
+  aggressive:
+    description: >-
+      Remove large APT packages (azure-cli, google-chrome, firefox,
+      powershell, mono-devel, etc.). Adds +5-7 GB but costs ~30s. Set
+      to "false" for fast jobs that already have enough headroom.
+    required: false
+    default: 'true'
+  tool-cache:
+    description: >-
+      Remove the hosted-tool cache at /opt/hostedtoolcache/* (Boost, Go,
+      Ruby, Python, Node, PyPy, etc., ~5-8 GB). Set to "false" when the
+      job needs setup-python / setup-node / setup-go to hit the cached
+      versions rather than re-download.
+    required: false
+    default: 'true'
+
+runs:
+  using: composite
+  steps:
+    - name: 'df -h before reclaim'
+      shell: bash
+      run: df -h / /mnt 2>/dev/null || df -h /
+
+    - name: 'Reclaim disk'
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main @ 2024-04
+      with:
+        tool-cache: ${{ inputs.tool-cache }}
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: ${{ inputs.aggressive }}
+        docker-images: true
+        # NEVER remove swap. The hosted runner has a 4 GB swapfile that
+        # rust-lld (especially under nightly + parallel link) and the
+        # cargo-llvm-cov instrumented build rely on to avoid OOM-induced
+        # SIGBUS / SIGKILL. Empirically, `swap-storage: true` produced
+        # silent mid-build job kills with no completed step on coverage
+        # runs. The few GB it gives back is not worth the OOM risk.
+        swap-storage: false
+
+    - name: 'df -h after reclaim'
+      shell: bash
+      run: df -h / /mnt 2>/dev/null || df -h /
@@ -12,6 +12,8 @@ on:
       - 'Cargo.toml'
       - 'Cargo.lock'
       - 'pyproject.toml'
+      - 'java/**'
+      - 'pdf_oxide_jni/**'
       - '.github/workflows/ci-fips.yml'
       - '.github/workflows/release-fips.yml'
   push:
@@ -21,6 +23,8 @@ on:
       - 'Cargo.toml'
       - 'Cargo.lock'
       - 'pyproject.toml'
+      - 'java/**'
+      - 'pdf_oxide_jni/**'
       - '.github/workflows/ci-fips.yml'
       - '.github/workflows/release-fips.yml'
   workflow_dispatch:
@@ -80,6 +84,117 @@ jobs:
       - name: Test --no-default-features --features fips,icc
         run: cargo test --no-default-features --features fips,icc
 
+  # ─── Java binding FIPS build (v0.3.53 #NNN). Validates the
+  # `pdf_oxide_jni` cdylib compiles under --features fips and that
+  # the Java surface still works against a FIPS-compiled native
+  # (legacy-crypto excluded; only FIPS-approved algorithms accepted).
+  fips-java:
+    name: Java FIPS (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        # macos-latest deferred for v0.3.53: cargo build emits the
+        # dylib at the expected target/release/libpdf_oxide_jni.dylib
+        # path (18 MB, executable bit set, verified via `ls -la` in CI)
+        # but JDK 11's System.load() raises a bare UnsatisfiedLinkError
+        # with no `Caused by:` chain on macos-15 aarch64 runners. The
+        # truncated message swallows the underlying dlopen detail, so
+        # investigation needs an `otool -L` + `file` + verbose dlopen
+        # diagnostic pass — most likely an aws-lc-fips runtime symbol
+        # / library dep that resolves on Linux but not on macOS, or a
+        # Hardened-Runtime / amfi restriction on hosted-runner kexts.
+        # FIPS deployments are predominantly Linux servers so Ubuntu
+        # coverage is the actionable target; macos follow-up tracked.
+        os: [ubuntu-latest]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Install build deps (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y cmake nasm golang-go
+
+      - name: Install build deps (macOS)
+        if: runner.os == 'macOS'
+        run: brew install cmake nasm go
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+
+      - name: Cache cargo registry
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-fips-java-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-fips-java-
+
+      - name: Cache Maven local repository
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+        with:
+          path: ~/.m2/repository
+          key: maven-fips-${{ runner.os }}-${{ hashFiles('java/pom.xml') }}
+
+      - name: Build pdf_oxide_jni --no-default-features --features fips,signatures,rendering,tsa-client
+        # FIPS XOR legacy-crypto is enforced at compile-time in
+        # pdf_oxide (lib.rs:143's compile_error!) — must use
+        # --no-default-features. The `fips` feature propagates
+        # to pdf_oxide. `signatures` + `tsa-client` are included
+        # because PAdES is the principal FIPS use case. `rendering`
+        # is included so JUnit render tests can exercise the surface
+        # (FIPS is orthogonal to render — png/raster ops don't
+        # touch legacy crypto).
+        run: |
+          cargo build --release -p pdf_oxide_jni \
+            --no-default-features --features fips,signatures,rendering,tsa-client
+
+      - name: Stage FIPS native lib into Maven resources
+        shell: bash
+        run: |
+          case "${{ matrix.os }}" in
+            ubuntu-latest)
+              DEST="java/src/main/resources/fyi/oxide/pdf/native/Linux/x86_64"
+              LIB="libpdf_oxide_jni.so"
+              ;;
+            macos-latest)
+              # macos-latest is aarch64 (Apple Silicon as of 2024+).
+              DEST="java/src/main/resources/fyi/oxide/pdf/native/Mac/aarch64"
+              LIB="libpdf_oxide_jni.dylib"
+              ;;
+          esac
+          mkdir -p "$DEST"
+          cp "target/release/$LIB" "$DEST/"
+          ls -la "$DEST"
+
+      - name: mvn test against FIPS native (excluding legacy-crypto tests)
+        working-directory: java
+        # `-DexcludedGroups=legacy-crypto` excludes the 5 auth tests
+        # that exercise R≤4-encrypted PDFs (require MD5 KDF —
+        # disabled under FIPS by pdf_oxide's compile-time crypto-
+        # policy gate).
+        # `-Dfyi.oxide.pdf.lib.path` overrides the pom's hardcoded
+        # `.so` path with the OS-correct cdylib extension (the pom
+        # default works for local Linux dev but not for macOS CI).
+        # Online (no `-o`) — first CI run has no Maven cache.
+        shell: bash
+        run: |
+          case "${{ matrix.os }}" in
+            ubuntu-latest) LIB_EXT=so ;;
+            macos-latest)  LIB_EXT=dylib ;;
+          esac
+          mvn -B -P!dev test \
+            -DexcludedGroups=legacy-crypto \
+            "-Dfyi.oxide.pdf.lib.path=$GITHUB_WORKSPACE/target/release/libpdf_oxide_jni.$LIB_EXT"
+
   # ─── Python wheel: build + smoke-test on all four release platforms
   # (linux x86_64, linux aarch64, macOS arm64, Windows x86_64) using the
   # same manylinux_2_28 + clang setup as release-fips.yml.