From 511cc02278b12a59aaf84747a5dc0a3ebe02635a Mon Sep 17 00:00:00 2001
From: yhirose <yuji.hirose.bug@gmail.com>
Date: Wed, 29 Apr 2026 07:55:09 +0900
Subject: [PATCH] Suppress wolfSSL library leaks; remove fail-fast from test
 matrix

Add a libwolfssl entry to lsan_suppressions.txt to mirror the existing
libcrypto rule: the wolfSSL ECC subsystem caches per-handshake buffers
that are only freed at library shutdown, which the test binaries do
not perform. These are not leaks in cpp-httplib code.

Disable fail-fast on the ubuntu / macos / windows matrices so a failure
in one TLS backend does not cancel the others; with the runner now
detecting failures correctly, we want to see the full picture per run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/test.yaml | 3 +++
 test/lsan_suppressions.txt  | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index c7df48e..805421f 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -75,6 +75,7 @@ jobs:
        github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.test_linux == 'true')
     strategy:
+      fail-fast: false
       matrix:
         tls_backend: [openssl, mbedtls, wolfssl]
     name: ubuntu (${{ matrix.tls_backend }})
@@ -208,6 +209,7 @@ jobs:
        github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.test_macos == 'true')
     strategy:
+      fail-fast: false
       matrix:
         tls_backend: [openssl, mbedtls, wolfssl]
     name: macos (${{ matrix.tls_backend }})
@@ -248,6 +250,7 @@ jobs:
        github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.test_windows == 'true')
     strategy:
+      fail-fast: false
       matrix:
         config:
         - with_ssl: false
diff --git a/test/lsan_suppressions.txt b/test/lsan_suppressions.txt
index 1e177a6..a92f6d6 100644
--- a/test/lsan_suppressions.txt
+++ b/test/lsan_suppressions.txt
@@ -1,3 +1,7 @@
 # OpenSSL 3.x internal caches (provider, cipher, keymgmt) are allocated
 # lazily and intentionally kept until process exit. These are not real leaks.
 leak:libcrypto
+
+# wolfSSL keeps ECC point/scratch buffers alive across handshakes; they are
+# released only at library shutdown which the test binaries do not invoke.
+leak:libwolfssl