neqo/.github/workflows/firefox.yml at fe33461d9f00a68bc521d788ae363724d2ede75d · mozilla/neqo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
name: Vendor
on:
  pull_request:
    types: [opened, synchronize, reopened]
  merge_group:
  workflow_dispatch:
    inputs:
      build:
        description: "Build Firefox after vendoring"
        type: boolean
        default: false
      linux:
        description: "Build on Linux"
        type: boolean
        default: true
      macos:
        description: "Build on macOS"
        type: boolean
        default: true
      windows:
        description: "Build on Windows"
        type: boolean
        default: true

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

defaults:
  run:
    shell: bash

env:
  CARGO_TERM_COLOR: always
  MOZILLABUILD_VERSION: 4.2.1

jobs:
  vendor:
    name: Vendor into Gecko
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-24.04, macos-15, windows-2025]
    runs-on: ${{ matrix.os }}
    env:
      MOZBUILD_STATE_PATH: ${{ github.workspace }}/mozbuild

    steps:
      - name: Check out neqo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: neqo
          persist-credentials: false

      - name: Check out Gecko
        id: gecko
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: mozilla-firefox/firefox
          path: firefox
          ref: main
          fetch-depth: 1
          persist-credentials: false

      # FIXME: Caching mozbuild toolchains disabled because cache entries are 1-5 GB

      - name: Install MozillaBuild (Windows)
        if: runner.os == 'Windows'
        run: choco install -y mozillabuild --version "$MOZILLABUILD_VERSION"

      # FIXME: macos-15 runners have a Python version that is too new for mach
      - name: Set up Python (macOS)
        if: runner.os == 'macOS'
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

      - name: Vendor neqo into Gecko
        id: vendor
        working-directory: firefox
        run: |
          {
            echo "mk_add_options MOZ_OBJDIR=../obj-firefox"
            echo "ac_add_options --enable-application=browser"
            echo "ac_add_options --disable-tests"
            echo "ac_add_options --enable-release"
          } > mozconfig

          cargo metadata --manifest-path ../neqo/Cargo.toml --format-version 1 --no-deps | jq '[.packages[] | {name, version}]' > ../neqo-versions.json

          NEQO_CRATES="mtu neqo-common neqo-http3 neqo-qpack neqo-transport neqo-udp"
          {
            echo '[patch."https://github.com/mozilla/neqo"]'
            for crate in $NEQO_CRATES; do
              echo "$crate = { path = \"../neqo/$crate\" }"
            done
          } >> Cargo.toml

          # shellcheck disable=SC2086
          cargo update $NEQO_CRATES

          for crate in $NEQO_CRATES; do
            version=$(jq -r ".[] | select(.name == \"$crate\") | .version" ../neqo-versions.json)
            echo "[[audits.$crate]]"
            echo "who = \"CI\""
            echo "criteria = \"safe-to-deploy\""
            echo "version = \"$version\""
            echo "notes = \"Placeholder created by CI.\""
            echo ""
          done >> supply-chain/audits.toml

          # Hide .git to prevent mach from running git operations
          mv .git .git.bak
          trap 'mv .git.bak .git' EXIT

          if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
            echo "Vendoring succeeded"
            exit 0
          fi

          if [ ! -s vendor.log ]; then
            echo "::error::Vendoring failed with no output"
            exit 1
          fi

          # Check if this is a vet-related failure
          if grep -qE "Vet error|Missing audit for" vendor.log; then
            # Extract all crate names from crate:version patterns in the log
            FAILING_CRATES=$(grep -oE '[a-zA-Z_][a-zA-Z0-9_-]*:[0-9]+\.[0-9]+' vendor.log | cut -d: -f1 | sort -u) || true
            echo "Vet failures detected for: $FAILING_CRATES"
            # Check if any failing crate is a neqo crate
            for crate in $NEQO_CRATES; do
              if echo "$FAILING_CRATES" | grep -qxF "$crate"; then
                echo "::error::Vet failure for neqo crate: $crate"
                cat vendor.log
                exit 1
              fi
            done
            echo "::warning::Vet failures are unrelated to neqo, forcing"
            ./mach vendor rust --ignore-modified --force
          else
            echo "::error::Vendoring failed for non-vet reasons:"
            cat vendor.log
            exit 1
          fi

      # Build steps only run on manual dispatch with build enabled
      - name: Maximize build space (Linux)
        if: |
          github.event_name == 'workflow_dispatch' &&
          inputs.build && inputs.linux && runner.os == 'Linux'
        run: |
          sudo rm -rf /usr/local/lib/android || true
          sudo rm -rf /usr/share/dotnet || true
          sudo rm -rf /opt/ghc || true
          sudo rm -rf /usr/local/.ghcup || true
          sudo apt-get remove -y '^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*' \
            azure-cli google-chrome-stable firefox powershell mono-devel libgl1-mesa-dri google-cloud-sdk \
            google-cloud-cli --fix-missing --quiet || true
          sudo apt-get autoremove -y || true
          sudo apt-get clean || true
          sudo docker image prune --all --force || true
          sudo rm -rf "$AGENT_TOOLSDIRECTORY" || true
          df -h

      - name: Build Firefox
        if: |
          github.event_name == 'workflow_dispatch' && inputs.build &&
          ((runner.os == 'Linux' && inputs.linux) ||
           (runner.os == 'macOS' && inputs.macos) ||
           (runner.os == 'Windows' && inputs.windows))
        working-directory: firefox
        env:
          NAME: ${{ runner.os == 'macOS' && 'Nightly' || 'bin' }}
          EXT: ${{ runner.os == 'macOS' && '.app' || '' }}
          RUNNER_OS: ${{ runner.os }}
        run: |
          [ "$RUNNER_OS" == "Windows" ] && unset WindowsSdkDir
          ./mach build && tar -cf ../Firefox.tar -C ../obj-firefox/dist "$NAME$EXT"

      - name: Export Firefox artifact
        if: |
          github.event_name == 'workflow_dispatch' && inputs.build &&
          ((runner.os == 'Linux' && inputs.linux) ||
           (runner.os == 'macOS' && inputs.macos) ||
           (runner.os == 'Windows' && inputs.windows))
        id: upload
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ runner.os }}-Firefox.tgz
          path: Firefox.tar
          compression-level: 9