Example:
```
Wed, 20 May 2026 09:51:48 GMT Updating Avalon repository catalogue...
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT repository Avalon has no meta file, using default settings
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT Unable to update repository Avalon
Wed, 20 May 2026 09:51:48 GMT Error updating repositories!
Wed, 20 May 2026 09:51:48 GMT Error: Process completed with exit code 3.
```
As tested over at libssh2, retrying the install command also does not
help, only repeats the same failure.
Also: fix whitespace in matrix.
Follow-up to b158d1c9f7#21681Closes#21694
- bump cross-platform-actions to v1.1.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v1.1.0
- merge BSD jobs into a single matrix.
- split BSD jobs into build steps as used for other platforms.
A new feature of cross-platform-actions v1.1.0.
- sync BSD build steps with other platforms.
- add DragonFlyBSD and MidnightBSD to the BSD matrix.
New features of cross-platform-actions v1.1.0.
MidnightBSD uses GnuTLS to add variation, also the preinstalled
OpenSSL is too old (v1.1.1w) for curl.
Stick with autotools for DragonFlyBSD; I could not figure out how
to install cmake.
Refs:
https://en.wikipedia.org/wiki/DragonFly_BSDhttps://en.wikipedia.org/wiki/MidnightBSD
- bump Intel FreeBSD jobs from v14.3 to v15.0.
- fix to show `gcc` in the NetBSD job name.
All these saved 50 lines of YAML. The two new jobs take 2m15s each. The
bump to FreeBSD 15 needs and extra minute in total.
Note, the DragonFlyBSD job seems to have reliability issues. If it
remains an issue, I'll comment it out or delete it in a future commit.
Closes#21681
In both autotools and cmake builds, because Android does not offer
a `zlib.pc`.
Also:
- GHA/non-native: dump config files, to verify.
Reported-by: sfan5 on github
Fixes#21647Closes#21648
Also fix fallouts found.
Windows clang-tidy CI job is a little pickier than I'd prefer due to the
`_CURL_TESTS_CONCAT=ON` option used there, and all macros considered
local, thus checked by the compiler. Upside: it revealed macro usage
dynamics in tests. If too annoying, `first.h` may be opted-out from the
concat logic. Some macros may also be deleted instead of `#if 0`-ing.
Follow-up to e0e56e9ae4#21550
Follow-up to 5fa5cb3825#20593Closes#21554
Fixing this with zizmor v1.25.0:
```
error[unpinned-images]: unpinned image references
--> .github/workflows/linux-old.yml:59:5
59 | container: 'debian:stretch'
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is not pinned to a SHA256 hash
= help: audit documentation -> https://docs.zizmor.sh/audits/#unpinned-images
[...]
```
Ref: https://github.com/curl/curl/actions/runs/25890035949/job/76090925291?pr=21618
Sadly there is no automatic mechanism to bump them..
Also:
- replace `debian-stretch` with its slim variant.
- bump one of the two Alpine jobs from 3.20 to 3.23.4.
Closes#21619
Fixing:
```
==> Installing openssl@3 dependency: ca-certificates
==> Pouring ca-certificates--2026-05-14.all.bottle.tar.gz
Error: undefined method '[]' for nil
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/utils/bottles.rb:127:in 'Utils::Bottles.load_tab'
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/formula_installer.rb:1507:in 'FormulaInstaller#pour'
[...]
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/brew.rb:114:in '<main>'
You have disabled automatic updates and have not updated today.
Do not report this issue until you've run `brew update` and tried again.
Error: Process completed with exit code 1.
```
Ref: https://github.com/curl/curl/actions/runs/25859030402/job/75984082148?pr=21607
Dropping `HOMEBREW_NO_AUTO_UPDATE=1` was not enough to fix it.
Closes#21608
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
No production code function is allowed to be longer than 500 lines.
The lib/setopt.c:setopt_cptr function is currently exempt, as a single
exception until we make it smaller.
Closes#21492
- update action `actions/cache` from 5.0.4 to 5.0.5
- update action `actions/upload-artifact` from 7.0.0 to 7.0.1
- update action `github/codeql-action` from 4.32.4 to 4.35.2
- update action `msys2/setup-msys2` from 2.31.0 to 2.31.1
- update pip `filelock` from 3.25.2 to 3.29.0
- update pip `impacket` to 0.13.0
- update pip `ruff` from 0.15.10 to 0.15.12
Closes#21483Closes#21482
```
The following packages have unmet dependencies:
[...]
E: Unable to satisfy dependencies. Reached two conflicting assignments:
1. musl-dev:amd64=1.2.5-3+b1 is selected for install
2. musl-dev:amd64 is not selected for install because:
1. musl-dev:riscv64=1.2.5-3 is selected for install
2. musl-dev:amd64 Breaks musl-dev:riscv64 (!= 1.2.5-3+b1)
```
Ref: https://github.com/curl/curl/actions/runs/25168601672/job/73785600341#step:3:154Closes#21475
- prefer `--branch` over `-b`, where missing.
- add `--depth 1` where missing.
- sync option order between docs and GHA.
- bump quiche and rustls-ffi versions in documentation.
- ECH.md: update for OpenSSL 4.
Closes#21447
Necessary when the libssh2/libssh client library does not support KEX
algos offered by default by the OpenSSH server. E.g. libssh2 with WinCNG
combined with OpenSSH 10+.
Also: use this option in GHA/windows.
Follow-up to 3b8bb1a86a#21219
Follow-up to c98d0a2e9a#21220Closes#21438
Due to year-long unreliability.
The default Ubuntu mirror works as fast as the Azure one when it's
working at its normal speed. And has HTTPS.
Also:
- replac the retry hack that turn out to not solve the problem.
- add timeouts to each download step to catch slowness early.
Follow-up to a5838847c4#21181
Follow-up to 5172ba5475#21107Closes#21414
GitHub runners are getting new 3rd-party sources frequntly now, last
week `docker.list`, this week: `google-chrome.sources`. To avoid
playing catch up, allowlist the only one we use: `ubuntu.sources`. If
this is renamed, CI would break. Let's hope this happens much less
often than new sources.
Bug: https://github.com/curl/curl/pull/21414#issuecomment-4297788640
Follow-up to 3e0e2cc1ab#21344Closes#21416
`ssh-keygen -t ed25519` does not support PEM key format, and it
defaults to `RFC4716` which is what we want.
It affected GHA/windows tests that explicitly used ed25519 keys.
Also:
- GHA/windows: bump minimums to hopefully catch this early next time.
1701a8319e#21353
- merge two Perl lines.
Reported-by: herbenderbler on github
Fixes#21360
Follow-up to acda4eae5e#21223Closes#21374
Seen on `ubuntu-slim` runners.
Also:
- extend to two jobs to `ls -l` package sources on both ubuntu-latest,
ubuntu-24.04-arm, and ubuntu-slim.
- drop former stray apt source `ondrej-ubuntu-php-noble.sources`.
It's no longer present on the image.
Closes#21344
- rename version env to stay compatible with Renovate `matchStrings`.
- also switch to manual bumps.
Bump rule was wrong, and deemed not worthy the complexity to fix.
Closes#21319
- examples: sync debug output printf masks.
- INSTALL-CMAKE.md: tidy up section for some options.
- curl_sha512_256: delete comment suggesting an optimization.
- vtls/keylog: scope a variable.
- vtls/openssl: make a source code URL a permalink.
- vtls/schannel: drop redundant parentheses.
- test1119.pl: robustify `$1` -> `$s`.
- sync arg names in comments to match the code.
- tidy up and minor fixes to comments.
- fix formatting/indenting/comment/newline/include nits.
- move `UNITTEST` protos next to definitions, sync their argument names.
- make variables static.
- add parentheses to Perl `open()` calls.
- drop unnecessary double quotes in Perl.
- clang-format.
Closes#21000
