Skip to content
Vendor

feat: use the nss-rs blapi feature #2393

Sign in to view logs

feat: use the nss-rs blapi feature

feat: use the nss-rs blapi feature #2393

Workflow file for this run

.github/workflows/firefox.yml at 21c9572
name: Vendor
on:
pull_request:
types: [opened, synchronize, reopened]
merge_group:
workflow_dispatch:
inputs:
build:
description: "Build Firefox after vendoring"
type: boolean
default: false
linux:
description: "Build on Linux"
type: boolean
default: true
macos:
description: "Build on macOS"
type: boolean
default: true
windows:
description: "Build on Windows"
type: boolean
default: true
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
defaults:
run:
shell: bash
env:
CARGO_TERM_COLOR: always
MOZILLABUILD_VERSION: 4.2.1
jobs:
vendor:
name: Vendor into Gecko
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04, macos-15, windows-2025]
runs-on: ${{ matrix.os }}
env:
MOZBUILD_STATE_PATH: ${{ github.workspace }}/mozbuild
steps:
- name: Check out neqo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: neqo
persist-credentials: false
- name: Check out Gecko
id: gecko
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: mozilla-firefox/firefox
path: firefox
ref: main
fetch-depth: 1
persist-credentials: false
# FIXME: Caching mozbuild toolchains disabled because cache entries are 1-5 GB
- name: Install MozillaBuild (Windows)
if: runner.os == 'Windows'
run: choco install -y mozillabuild --version "$MOZILLABUILD_VERSION"
# FIXME: macos-15 runners have a Python version that is too new for mach
- name: Set up Python (macOS)
if: runner.os == 'macOS'
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.12"
- name: Vendor neqo into Gecko
id: vendor
working-directory: firefox
run: |
{
echo "mk_add_options MOZ_OBJDIR=../obj-firefox"
echo "ac_add_options --enable-application=browser"
echo "ac_add_options --disable-tests"
echo "ac_add_options --enable-release"
} > mozconfig
cargo metadata --manifest-path ../neqo/Cargo.toml --format-version 1 --no-deps | jq '[.packages[] | {name, version}]' > ../neqo-versions.json
NEQO_CRATES="mtu neqo-common neqo-http3 neqo-qpack neqo-transport neqo-udp"
{
echo '[patch."https://github.com/mozilla/neqo"]'
for crate in $NEQO_CRATES; do
echo "$crate = { path = \"../neqo/$crate\" }"
done
} >> Cargo.toml
# shellcheck disable=SC2086
cargo update $NEQO_CRATES
for crate in $NEQO_CRATES; do
version=$(jq -r ".[] | select(.name == \"$crate\") | .version" ../neqo-versions.json)
echo "[[audits.$crate]]"
echo "who = \"CI\""
echo "criteria = \"safe-to-deploy\""
echo "version = \"$version\""
echo "notes = \"Placeholder created by CI.\""
echo ""
done >> supply-chain/audits.toml
# Hide .git to prevent mach from running git operations
mv .git .git.bak
trap 'mv .git.bak .git' EXIT
if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
echo "Vendoring succeeded"
exit 0
fi
if [ ! -s vendor.log ]; then
echo "::error::Vendoring failed with no output"
exit 1
fi
# Check if this is a vet-related failure
if grep -qE "Vet error|Missing audit for" vendor.log; then
# Extract all crate names from crate:version patterns in the log
FAILING_CRATES=$(grep -oE '[a-zA-Z_][a-zA-Z0-9_-]*:[0-9]+\.[0-9]+' vendor.log | cut -d: -f1 | sort -u) || true
echo "Vet failures detected for: $FAILING_CRATES"
# Check if any failing crate is a neqo crate
for crate in $NEQO_CRATES; do
if echo "$FAILING_CRATES" | grep -qxF "$crate"; then
echo "::error::Vet failure for neqo crate: $crate"
cat vendor.log
exit 1
fi
done
echo "::warning::Vet failures are unrelated to neqo, forcing"
./mach vendor rust --ignore-modified --force
else
echo "::error::Vendoring failed for non-vet reasons:"
cat vendor.log
exit 1
fi
# Build steps only run on manual dispatch with build enabled
- name: Maximize build space (Linux)
if: |
github.event_name == 'workflow_dispatch' &&
inputs.build && inputs.linux && runner.os == 'Linux'
run: |
sudo rm -rf /usr/local/lib/android || true
sudo rm -rf /usr/share/dotnet || true
sudo rm -rf /opt/ghc || true
sudo rm -rf /usr/local/.ghcup || true
sudo apt-get remove -y '^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*' \
azure-cli google-chrome-stable firefox powershell mono-devel libgl1-mesa-dri google-cloud-sdk \
google-cloud-cli --fix-missing --quiet || true
sudo apt-get autoremove -y || true
sudo apt-get clean || true
sudo docker image prune --all --force || true
sudo rm -rf "$AGENT_TOOLSDIRECTORY" || true
df -h
- name: Build Firefox
if: |
github.event_name == 'workflow_dispatch' && inputs.build &&
((runner.os == 'Linux' && inputs.linux) ||
(runner.os == 'macOS' && inputs.macos) ||
(runner.os == 'Windows' && inputs.windows))
working-directory: firefox
env:
NAME: ${{ runner.os == 'macOS' && 'Nightly' || 'bin' }}
EXT: ${{ runner.os == 'macOS' && '.app' || '' }}
RUNNER_OS: ${{ runner.os }}
run: |
[ "$RUNNER_OS" == "Windows" ] && unset WindowsSdkDir
./mach build && tar -cf ../Firefox.tar -C ../obj-firefox/dist "$NAME$EXT"
- name: Export Firefox artifact
if: |
github.event_name == 'workflow_dispatch' && inputs.build &&
((runner.os == 'Linux' && inputs.linux) ||
(runner.os == 'macOS' && inputs.macos) ||
(runner.os == 'Windows' && inputs.windows))
id: upload
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ runner.os }}-Firefox.tgz
path: Firefox.tar
compression-level: 9