open-pr: avoid using system curl (because it can't do TLS v1.3) #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dscho
force-pushed
the
dont-use-system-curl
branch
5 times, most recently
from
dad8ede to
f76696f
Compare
|
This is the successful run that opened git-for-windows/MSYS2-packages#80: https://github.com/git-for-windows/git-for-windows-automation/actions/runs/4079002007/jobs/7029893303 |
|
The commit message of baa5ab4 is a little inacurate. The |
rimrul
reviewed
Feb 3, 2023
| env: | ||
| cache-name: cache-g4w-sdk | ||
| with: | ||
| path: .sdk |
There was a problem hiding this comment.
When does the cache action save the cache?
There was a problem hiding this comment.
It's the post checkout step that is implied by actions/cache.
There was a problem hiding this comment.
That's not ideal. It's caching the .sdk directory after we already cloned the target repo, which could cause collisions when opening PRs for multiple packages in the same repo. Maybe we should use actions/cache/restore and actions/cache/save to explicitely create the cache after the sparse checkout?
There was a problem hiding this comment.
Valid point.
I changed it. To prove that it works, I ran a dry-run that did not find a cached artifact and successfully cached it, followed by a dry-run that found the cache and successfully avoided re-checking out and re-caching it.
That `curl` version uses Secure Channel internally, which supports TLS v1.3 only since version 7.85.0, and this support requires Windows 11 (see https://curl.se/changes.html#7_85_0). While we do run the workflow in `windows-latest` hosted runners, which means Windows Server 2022, the Server equivalent to Windows 11, the `curl.exe` in that Windows version seems to be stuck at v7.83.1. That is a problem because we seem to be unable to access OpenSSH's CloudFlare CDN via anything below TLS v1.3, and this GitHub workflow runs in Windows 10 agents. The symptom looks like this: ==> Retrieving sources... -> Downloading openssh-9.2_P1.tar.gz... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_UNSUPPORTED_FUNCTION (0x80090302) - The function requested is not supported ==> ERROR: Failure while downloading https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2_P1.tar.gz Aborting... ==> ERROR: Failed to generate new checksums Error: Process completed with exit code 1. So let's use Git's own `curl.exe` (which can use OpenSSL, which in turn has no problems speaking TLS v1.3). We do insist on using `/mingw64/bin/curl.exe` because `/mingw64/bin/libcurl-4.dll` is already included in the `minimal` SDK artifact (to allow `git fetch`/`git push` via HTTPS), whereas if we were to use `/usr/bin/curl.exe` would require at least `/usr/bin/msys-curl-4.dll` (and who knows what other dependencies) that are not included in the `minimal` SDK. Signed-off-by: Johannes Schindelin <[email protected]>
We actually need something different than the `minimal` SDK (which is used in git/git's CI builds to build Git and run its test suite): we need `updpkgsums` and friends. So far, we abused the Action to initialize the minimal SDK and then called `curl` plenty a time to download the remaining files. It would appear that that downloading part ran afoul of rate limits at least in one instance. Let's just use a partial clone to begin with. Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
dont-use-system-curl
branch
from
8ec1887 to
a858612
Compare
|
@rimrul thank you for your excellent review! I've fixed the issues you pointed out: range-diff
|
Caching this instead of re-checking out all the time is a big time saver. In particular when something failed such as downloading the source archive, and something in `update-scripts/` needs to be added or to be adjusted. Instead of using the `actions/cache` Action as-is, we use the `restore` and `save` sub-Actions for tighter control (i.e. to avoid caching the artifact when the clone failed due to problems outside of our control such as network glitches). Signed-off-by: Johannes Schindelin <[email protected]>
The release announcments use a different version string than the file name; Let's automagically transform the former into the latter. Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
dont-use-system-curl
branch
2 times, most recently
from
f4ef67e to
e077d68
Compare
|
@rimrul could you give this another review? |
|
LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
curlexecutable inC:\Windows\system32exclusively uses Secure Channel as TLS backend. This is usually fine, except when one needs to talk to a TLS v1.3-only host and one is stuck with Windows prior to Windows 11 (where Secure Channel simply does not support TLS v1.3).This happens to be exactly the case that caused the workflow run to fail that wanted to open a PR for OpenSSH v9.2p1.
Let's just use our own MINGW
curl.exeinstead.