The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.
Also:
- silence error:
```
INFO audit: zizmor: completed label.yml
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> label.yml:13:1
|
13 | 'on': [pull_request_target]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
|
= note: audit confidence -> Medium
```
- fix pedantic warning:
```
INFO audit: zizmor: completed label.yml
warning[excessive-permissions]: overly broad permissions
--> label.yml:1:1
... |
24 | | with:
25 | | repo-token: '${{ secrets.GITHUB_TOKEN }}'
| |____________________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence -> Medium
```
- silence `template-injection` false positives like:
```
- note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
- note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
```
It doesn't seem like these could be controlled by an attacker.
Let me know if I'm missing something.
Closes#17278
The unplanned dropping of the granular vcpkg binary cache indeed fell
into the cracks between Microsoft's various departments. The old method
is now official dropped, without replacement either on the vcpkg side or
the GitHub cache provider side.
Without a granular cache, vcpkg is impractical for builds larger than
a small dependency tree in CI, for performance reasons.
A granular cache is critical for CI use. Building dependencies is not
a goal of this CI, so a more desirable option would be pre-built binary
downloads. This would also allow keeping job timeouts low, which is
important for quick iteration in GHA when a flaky job requiring a manual
retry needs all other jobs to finish first. (GHA often disregards
step timeouts, which is another contributing factor here.)
Windows remains tested extensively with MSYS2, curl-for-win, and via
AppVeyor CI with MSVC + OpenSSL, and also in GHA via scaled back vcpkg
jobs that perform well without caching. What's lost is the recently
added Android OpenSSL build tests.
We may consider building/cachine important dependencies manually as in
GHA/linux-http3, and/or try integrating MSVC jobs with MSYS2 UCRT DLLs.
Ref: https://github.com/microsoft/vcpkg-tool/pull/1662
Ref: https://github.com/microsoft/vcpkg/issues/45073
Follow-up to cd0ec4784c#17089
Follow-up to e3912f0f9f#17086
Follow-up to 15fb1dc7f8#17069Closes#17200
This step could take from 5 seconds to 5 minutes, sometimes making it
run out of its time slot. It affected 60 CI jobs.
Saving an estimated minimum of 5 minutes per CI run.
Also fixing:
```
Fri, 25 Apr 2025 06:19:14 GMT
Processing triggers for man-db (2.12.0-4build2) ...
Fri, 25 Apr 2025 06:23:40 GMT
Running kernel seems to be up-to-date.
[...]
Error: The action 'install packages' has timed out after 5 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/14658212268/job/41136971525?pr=17180#step:2:169Closes#17181
They typically finish (well) within 10 minutes.
A notable exception was vcpkg jobs when a rebuild was triggered.
With caching lost and reducing them to short builds, this is not
an issue at the moment.
The advantage of shorter timeouts is hung/crashed jobs giving back
control earlier for a manual retry.
Closes#17173
To keep testing these with MSVC:
- UWP !ssl
- arm64 build on the `windows-11-arm` runner
- examples
- OpenSSH-Windows (fix install on `windows-11-arm`)
- `windows-2025` runner
- cmake pre-fill checker
Surprise: UWP doesn't support SSPI, which is required by curl's Schannel
backend. Thus, no TLS support for this UWP build. It also suggests
the Schannel UWP mingw-w64 binaries may be broken and just a happy build
accident thanks to mingw-w64 headers being inaccurate.
Building zlib + libssh2 might actually take up to 2+ minutes with vcpkg,
instead of the previously estimated <1.5 minutes.
Follow-up to e3912f0f9f#17086
Follow-up to 15fb1dc7f8#17069Closes#17089
In the last 1-2 days, curl's vcpkg binary cache entries stored by GHA
apparently disappeared, and each vcpkg job is now rebuilding everything
on every run. This takes up to 40 minutes per job. New cache entries
fail on upload with messages like:
```
Completed submission of nghttp2:arm64-android@1.65.0 to 0 binary cache(s) in 172 ms
```
(note the zero.)
This coincided with my adding support for windows-11-arm and touching
some jobs affected. Yet, unrelated. It also affects Android jobs. The root
cause is a runner image update bumping the vcpkg tool.
The latest vcpkg tool also has this issue.
As a temporary workaround, stop using vcpkg in CI.
Last good run: https://github.com/curl/curl/actions/runs/14473789417/job/40594304523
First bad run: https://github.com/curl/curl/actions/runs/14474616982/job/40597095025
Assisted-by: Tal Regev
Ref: #17070Closes#17069
- bump an MSYS2/mingw job to windows-2025 runner.
(MSVC is possible, but vcpkg needs to build for windows-2025, and
can't share these with windows-2022 builds, so not optimal for
a single canary job.)
- skip installing OpenSSH-Windows-builtin on windows-2025.
It's preinstalled:
```
ssh client found /c/Windows/System32/OpenSSH/ssh.exe is OpenSSH-Windows 9.5.0
ssh server found /c/Windows/System32/OpenSSH/sshd.exe is OpenSSH-Windows 9.5.0
```
Still older than the manual preview install (9.8.1), so keep using that.
Closes#17066
To allow configuring paths styles for SCP and SFTP servers separately.
- make `scp://` URLs use `%SCP_PWD` (was: `%SSH_PWD`).
- make `%SCP_PWD` equal to `%POSIX_PWD`.
To fix test 3022 with OpenSSH-Windows 9.8.0 server.
The fix works on a local machine. Remains broken in CI.
Before this patch, it was equal to `%FILE_PWD` when using
OpenSSH-Windows, otherwise it was `%POSIX_PWD`.
Notice that no matter what path-style we pass, test 3022
was and still is broken with earlier OpenSSH-Windows versions.
(as tested with 9.5.0, 9.5.0-beta20240403, 8.0.0.1)
- rename rest of `%SSH_PWD` uses to `%SFTP_PWD`.
- drop unused `%POSIX_PWD`.
- GHA/windows: test with OpenSSH-Windows server again.
In the LibreSSL MSVC job. This job is short enough to fit the slow
install of the built-in OpenSSH-Windows tools, if needed.
Follow-up to 1abb087a9c#5298
Ref: #16803Closes#17041
On the windows-2022 runner it installs these client/server versions:
```
ssh client found /c/Windows/System32/OpenSSH/ssh.exe is OpenSSH-Windows 9.5.0
ssh server found /c/Windows/System32/OpenSSH/sshd.exe is OpenSSH-Windows 8.1.0
```
Not currently enabled. Slight downside (when enabled) that Windows needs
over 1 minute to install these two tiny programs.
Closes#17046
To allow making per-job variations for SSH backends.
Also:
- fix Cygwin builds to not ignore per-job `install:` items.
It worked by accident before this patch.
Follow-up to 66313cc036#16629Closes#16911
curl now has a working GnuTLS CI job, with tests, with MSYS2.
The MultiSSL build scenario is now tested on macOS.
The vcpkg GnuTLS package seems to have a deep dependency tree with large
packages that need to be rebuilt relatively frequently. Since they can't
fit into to the time limit, these cause CI failures.
To stabilize CI, drop the `shiftmedia-libgnutls` dependency.
Partial revert of e86f99824c#16623
Ref: https://github.com/curl/curl/actions/runs/14192680124/job/39760753274?pr=16902Closes#16904
Setting a server-side file read-only by `chmod 0444` has does not
prevent overwriting it via SFTP upload (as tested in CI).
Fix it by setting its MS-DOS read-only attribute in addition. It
requires the Cygwin tool `chattr`.
Also unignore in CI.
Fixes:
```
test 0615...[SFTP put remote failure]
curl returned 0, when expecting 9
615: exit FAILED
=== Start of file stderr615
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 30 0 0 100 30 0 93 --:--:-- --:--:-- --:--:-- 95
100 30 0 0 100 30 0 92 --:--:-- --:--:-- --:--:-- 92
=== End of file stderr615
```
Ref: https://github.com/curl/curl/actions/runs/14037991918/job/39300723214#step:12:1269Closes#16818
Use the `PATH` `/usr/bin` to avoid any Windows system or 3rd-party tool
installed on the runner machine that may interfere with or add undesired
dependencies to the builds and tests.
Follow-up to d838d43430#16465
Ref: #16437Closes#16814
Install on drive `D:` which has much better write performance than `C:`,
on GitHub Windows runner machines.
- It's bringing down `dl-mingw` installation steps to 5-15s per job,
from 15s-130s before this patch.
- Saving 30-90s per job in the Cygwin install step.
The before values were fluctuating, but it seems reasonable to expect
saving at least a couple of minutes for each workflow run.
Closes#16813
- on native Windows (also when using MSYS2 openssh), the group and other
permissions do not end up as requested by Perl's chmod:
```diff
--- log/8/check-expected
+++ log/8/check-generated
@@ -1,3 +1,3 @@
d????????? N U U N ??? N NN:NN asubdir[LF]
--rw?rw?rw? 1 U U 37 Jan 1 2000 plainfile.txt[LF]
+-rw?r-?r-? 1 U U 37 Jan 1 2000 plainfile.txt[LF]
-r-?r-?r-? 1 U U 47 Dec 31 2000 rofile.txt[LF]
```
Ref: https://github.com/curl/curl/actions/runs/14004029192/job/39215359241?pr=16781#step:15:1596
Fix it by ignoring group and other attributes.
- fix failing postprocess cleanup by making the read-only test file
writeable again before deleting it. Fixing:
```
Directory not empty at ../../tests/libtest/test613.pl line 83.
```
(seen on Windows with Git for Windows `perl.exe`)
- unignore in GHA/windows.
Closes#16791
It accidentally worked on all CI-tested operating systems, except on
native Windows.
Fixing:
```
=== Start of file stderr612
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
[...]
curl: (21) rm command failed: Operation failed
```
Ref: https://github.com/curl/curl/actions/runs/14004029192/job/39215359241?pr=16781#step:15:1424
Also remove this test from the ignore list in GHA/windows.
Closes#16801
SFTP/SCP tests were failing in CI with WinCNG libssh2 since we first
added such job. With `curl: (67) Authentication failure`.
The reason is that the default `ssh-keygen` RSA private key format
changed to OpenSSH (RFC4716) in 2018. libssh2 does not support this
format with some of its crypto backends.
Fix it by generating keys explicitly in PEM format as necessary via
the `-m` option. This format is universally recognized for RSA keys.
2018-08-24: https://www.openssh.com/txt/release-7.8: OpenSSH format becomes default
2010-08-23: https://www.openssh.com/txt/release-5.6: `-m` option first supported
This fixed the auth issue, just to reveal a known flakiness issue in
libssh2 + WinCNG, causing:
```
curl: (2) Failure establishing ssh session: -8, Unable to exchange encryption keys
```
Ref: https://github.com/curl/curl/actions/runs/14000494428/job/39205633258?pr=16781#step:15:1796
Tracked here: https://github.com/libssh2/libssh2/issues/804
Mitigated in libssh2 tests by retrying them.
Due to this, keep ignoring these test results.
Also:
- add an env to customize key format: `CURL_TEST_SSH_KEY_FORMAT`
- display the generated format in the log.
- GHA/linux: document the wolfSSH error code causing it to fail tests:
```
curl: (79) wolfssh SFTP connect error -1051 / WS_MATCH_KEY_ALGO_E / cannot match key algo with peer
```
Follow-up to 4911e7af11#16735
Follow-up to 0ec72c1ef8#16672
Follow-up to e53523fef0#14859
Follow-up to e26cbe20cb#13979Closes#16781
On suspect of strain on the runtime env/pipes, disable this test, which
is flaky due to `runtests` detecting a 2009 result code from curl, while
curl is returning the expected 56:
```
test 0498...[Reject too large HTTP response headers on endless redirects]
curl returned 2009, when expecting 56
498: exit FAILED
== Contents of files in the log/5/ dir after test 498
[...]
0 0 0 0 0 0 0 0 --:--:-- 0:00:10 --:--:-- 0
curl: (56) Too large response headers: 6144086 > 6144000
```
In such cases the number of log lines for this single test is 4800. In
comparison the total number of log lines for a clear test run is 3800.
Seen with mingw, dl-mingw, msvc CI jobs.
Follow-up to 4911e7af11#16735
Ref: https://github.com/curl/curl/discussions/14854#discussioncomment-12503065Closes#16748
Skipping these tests saves time and reduces test logs from 11500 lines
to 3800.
Tests are permanently broken due to `curl: (67) Authentication failure`.
This libssh2 is built with WinCNG. Builds using libcrypto from OpenSSL
work fine.
Closes#16735
After restricting OpenSSH-Windows to a single job, and bumping it to
the pre-release version, that job started hanging then timing out with
reasonable consistency.
Since we saw similar hangs before with OpenSSH-Windows stable, in all
jobs, drop OpenSSH-Windows from CI, and replace it with MSYS openssh.
After this patch, all Windows jobs use MSYS2 or Cygwin openssh.
Follow-up to 0ec72c1ef8#16672Closes#16704
MSVC:
- switch jobs to standard openssh server. Reduce exceptions.
- make the SCP/SFTP ignore list more specific and comment with details.
- keep using OpenSSH-Windows for the OpenSSL job, and bump to the
prerelease version.
- disable `ENABLE_DEBUG` for BoringSSL to have such build tested. (This
is the first Windows non-ENABLE_DEBUG build with test runs.)
Takeaways:
- test 612 broken on Windows.
- test 613 broken on Windows with the standard openssh server.
- test 614 broken with libssh and OpenSSH-Windows.
- test 3022 broken with libssh2 and OpenSSH-Windows.
- tests broken with OpenSSH-Windows:
601 603 617 619 621 641 665 2004.
- vcpkg `libssh2[core,zlib]` broken due to:
curl: (67) Authentication failure
MSVC prep steps:
- install base msys2 package to simplify configuration, align with other
jobs and allow to use msys2 packages for tests.
- add support for msys2 openssh server. Keep OpenSSH-Windows as per-job
option. Add support for OpenSSH prerelease versions.
Prerelease does not make a difference in test results, but, stable was
last updated in 2019 (v8.0.0.1) and it seems better to use maintained
release track, with its latest from April 2024 (v9.5.0).
https://community.chocolatey.org/packages/openssh/8.0.0.1https://community.chocolatey.org/packages/opensshhttps://github.com/PowerShell/Win32-OpenSSHhttps://github.com/PowerShell/openssh-portable
- add 'libssh' to its job name.
- make `ENABLE_DEBUG` a per-job option.
msys/mingw:
- install `openssh` later and only when necessary.
- downgrade msys2 runtime later. (to follow other jobs)
- disable `CheckSpace` earlier. Also to untie it from the runtime
downgrade step, which we would hopefully drop.
Closes#16672
Replace `Cwd::abs_path()` with `File::Spec->rel2abs()`. The former
requires the file to exist, but in some cases, it's missing.
Seen in MSVC vcpkg jobs using Chocolatey OpenSSH v8.0.0.1 ending up with
`$path=/d/a/curl/curl/bld/tests/log/3/server/ssh_server.pid`, which does
not exist while converting to an absolute path (the path is already
absolute, but the conversion is done unconditionally):
```
Use of uninitialized value in subroutine entry at D:/a/curl/curl/tests/pathhelp.pm line 128.
can't convert empty path at D:/a/curl/curl/tests/pathhelp.pm line 128.
```
Ref: https://github.com/curl/curl/actions/runs/13747741797/job/38444844173#step:14:1233 (master)
Ref: https://github.com/curl/curl/actions/runs/13751862952/job/38453816737#step:14:3185 (trace)
Also ignore 3 new libssh2 jobs failing due to memleak.
Partial revert of 1bd5ac998b#16570Closes#16636
It fixes test 2302, 2303, 2307 with MSVC and clang on Windows.
GCC Windows builds were not affected.
Failure was caused by stack overflow due to a 1MB+ sized test struct on
stack. Replace it with dynamic allocation.
Also unignore affected tests in GHA/windows.
As seen under WINE with llvm-mingw:
```
$ wine64 libtests.exe lib2302 ws://127.0.0.1:59964/2302 > stdout2302 2> stderr2302
Test: lib2302
URL: ws://127.0.0.1:59964/2302
wine: Unhandled stack overflow at address 000000014007486A (thread 0024), starting debugger...
Unhandled exception: stack overflow in 64-bit code (0x000000014007486a).
```
Ref: #16629 (discovery)
Ref: 1bd5ac998b#16570Closes#16630
The GnuTLS MSVC/vcpkg build doesn't actually work on Windows. Let's
restore the build itself, to keep it fit for more testing. With disabled
tests (and examples) to keep it fast and not add to flakiness.
Also:
- enable GnuTLS in the MultiSSL job.
- limit building examples to one normal and one UWP job. It saves
6 x 1-1.5 minutes. Coverage remains the same, because example builds
only depend on the toolchain / target, not on the actual features
(except IPv6, but that's enabled for all.)
Closes#16623
- enable zstd in Cygwin and MSYS jobs.
- dl-mingw: use Ninja in the 9.5.0 (winlibs-mingw) job.
The download package is shipping with it. Saves 15s build time.
Keep testing GNU Makefiles with the two mingw-builds jobs.
- dl-mingw: split `env` prop to `env` and `ver` to aid integrating with
MSYS2.
- dl-mingw: install MSYS2 with options to make it quick (<20s).
It allows to use MSYS2 dependency packages with the downloaded
toolchains. It also makes configuration cleaner. Install libpsl.
- dl-mingw: enable mbedTLS in the 7.3.0 job.
(OpenSSL took a long time to install, wolfSSL misses features.)
Assisted-by: Jeremy Drake
Closes#16429
Re-enable running tests 19, 504, 704, 705, 1233 in CI MSYS jobs.
We carried over these exceptions from AppVeyor CI, where they have been
present for a long time. Cygwin jobs do not need these exceptions and
Cygwin and MSYS are similar envs. Time to re-evaluate if skipping them
is still necessary on MSYS.
Closes#16592
Bump msys2/setup-msys2 from 2.26.0 to 2.27.0. It brings the perf
regression experienced earlier with GfW and the pre-installed
MSYS2 on the GHA runner. Apply the runtime downgrade trick as
a workaround.
Fixes#16440Fixes#16547Closes#16574
