mozilla
diff --git a/‎.github/actionlint.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/actionlint.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/actions/check-android/action.yml‎
Lines changed: 2 additions & 13 deletions b/‎.github/actions/check-android/action.yml‎
Lines changed: 2 additions & 13 deletions
diff --git a/‎.github/actions/check-vm/action.yml‎
Lines changed: 25 additions & 13 deletions b/‎.github/actions/check-vm/action.yml‎
Lines changed: 25 additions & 13 deletions
diff --git a/‎.github/actions/nss/action.yml‎
Lines changed: 60 additions & 71 deletions b/‎.github/actions/nss/action.yml‎
Lines changed: 60 additions & 71 deletions
@@ -4,3 +4,4 @@ self-hosted-runner:
   labels:
     - moonshot
     - moonshot-exp
+    - codspeed-macro
@@ -20,17 +20,14 @@ inputs:
   minimum-nss-version:
     description: 'If NSS is required, the minimum version required.'
     default: ''
-  codecov-token:
-    description: 'Codecov token, if Codecov upload is desired.'
-    default: ''
   github-token:
     description: 'A Github PAT'
     required: true
 
 runs:
   using: composite
   steps:
-    - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+    - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
       with:
         distribution: zulu
         java-version: 23
@@ -94,19 +91,11 @@ runs:
         EOF
         chmod a+x /tmp/rust-android-run-tests-on-emulator.sh
 
-    - uses: reactivecircus/android-emulator-runner@1dcd0090116d15e7c562f8db72807de5e036a4ed # v2.34.0
+    - uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
       with:
         api-level: ${{ inputs.api-level }}
         arch: ${{ startsWith(inputs.target, 'x86_64') && 'x86_64' || (startsWith(inputs.target, 'i686') && 'x86' || (startsWith(inputs.target, 'aarch64') && 'arm64-v8a')) }}
         ndk: ${{ inputs.ndk-version }}
         emulator-boot-timeout: 120
         disk-size: 2G
         script: /tmp/rust-android-run-tests-on-emulator.sh
-
-    - if: ${{ inputs.codecov-token != '' }}
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
-      with:
-        files: lcov.info
-        fail_ci_if_error: false
-        token: ${{ inputs.codecov-token }}
-        verbose: true
@@ -30,7 +30,7 @@ runs:
             freebsd)    pkg install -y curl llvm nss pkgconf
                         ;;
             openbsd)    # TODO: Is there a way to not pin the version of llvm? -z to pkg_add does not work.
-                        pkg_add rust rust-clippy rust-rustfmt llvm-19.1.7p3 nss pkgconf # rustup does not support OpenBSD at all
+                        pkg_add rust rust-clippy rust-rustfmt llvm-21.1.2p0 nss # rustup does not support OpenBSD at all
                         ;;
             netbsd)     /usr/sbin/pkg_add pkgin && pkgin -y install curl clang nss pkgconf
                         ;;
@@ -56,9 +56,9 @@ runs:
             freebsd)    sh rustup.sh --default-toolchain stable --profile minimal --component clippy,llvm-tools,rustfmt -y
                         . "\$HOME/.cargo/env"
                         ;;
-            openbsd)    export LIBCLANG_PATH=/usr/local/llvm19/lib
-                        export LLVM_COV=/usr/local/llvm19/bin/llvm-cov
-                        export LLVM_PROFDATA=/usr/local/llvm19/bin/llvm-profdata
+            openbsd)    export LIBCLANG_PATH=/usr/local/llvm21/lib
+                        export LLVM_COV=/usr/local/llvm21/bin/llvm-cov
+                        export LLVM_PROFDATA=/usr/local/llvm21/bin/llvm-profdata
                         [ "$WORKSPACE" ] && EXCLUDE="--exclude fuzz" # Fuzzing not supported on OpenBSD
                         ;;
             netbsd)     sh rustup.sh --default-toolchain stable --profile minimal --component clippy,llvm-tools,rustfmt -y
@@ -86,7 +86,7 @@ runs:
           cargo fmt --all -- --check
           case "$PLATFORM" in
             freebsd)    cargo install cargo-llvm-cov --locked
-                        cargo llvm-cov test --locked --no-fail-fast --lcov --output-path lcov.info
+                        cargo llvm-cov test --locked --no-fail-fast --codecov --output-path codecov.json
                         ;;
             *)          # FIXME: No profiler support on other platforms, error is: cannot find crate for profiler_builtins
                         cargo test --locked --no-fail-fast # We do this instead for now
@@ -102,45 +102,57 @@ runs:
         } >> "$GITHUB_OUTPUT"
 
         curl -o "$WD/rustup.sh" --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs
-        echo "envs=CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG GITHUB_ACTIONS RUST_TEST_TIME_UNIT RUST_TEST_TIME_INTEGRATION RUST_TEST_TIME_DOCTEST WD" >> "$GITHUB_OUTPUT"
+        echo "envs=CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG RUST_TEST_TIME_UNIT RUST_TEST_TIME_INTEGRATION RUST_TEST_TIME_DOCTEST WD" >> "$GITHUB_OUTPUT"
 
     - if: ${{ inputs.platform == 'freebsd' }}
-      uses: vmactions/freebsd-vm@966989c456d41351f095a421f60e71342d3bce41 # v1.2.1
+      uses: vmactions/freebsd-vm@ba6bedee4a4884da2b782a41a64329a1c8e42ffb # v1.3.8
       with:
         usesh: true
+        disable-cache: true
         envs: ${{ steps.prep.outputs.envs }}
         prepare: ${{ steps.prep.outputs.prepare }}
         run: ${{ steps.prep.outputs.run }}
 
     - if: ${{ inputs.platform == 'openbsd' }}
-      uses: vmactions/openbsd-vm@0d65352eee1508bab7cb12d130536d3a556be487 # v1.1.8
+      uses: vmactions/openbsd-vm@f5b9bc1261c3d4eed9639fcae0cf5dcc5374ca0c # v1.3.2
       with:
         usesh: true
+        disable-cache: true
         envs: ${{ steps.prep.outputs.envs }}
         prepare: ${{ steps.prep.outputs.prepare }}
         run: ${{ steps.prep.outputs.run }}
 
     - if: ${{ inputs.platform == 'netbsd' }}
-      uses: vmactions/netbsd-vm@d0228be27fbaba19418cc1b332609a895cf16561 # v1.1.9
+      uses: vmactions/netbsd-vm@37b614756f0b44b02f5dab4fd9ecb27545d1785e # v1.3.2
       with:
         usesh: true
+        disable-cache: true
         envs: ${{ steps.prep.outputs.envs }}
         prepare: ${{ steps.prep.outputs.prepare }}
         run: ${{ steps.prep.outputs.run }}
 
     - if: ${{ inputs.platform == 'solaris' }}
-      uses: vmactions/solaris-vm@58cbd70c6e051860f9b8f65908cc582938fbbdba # v1.1.5
+      uses: vmactions/solaris-vm@37d40b6627e80434541454b42841caa4cc77d0cf # v1.2.7
       with:
         release: "11.4-gcc"
         usesh: true
+        disable-cache: true
         envs: ${{ steps.prep.outputs.envs }}
         prepare: ${{ steps.prep.outputs.prepare }}
         run: ${{ steps.prep.outputs.run }}
 
-    - if: ${{ inputs.codecov-token != '' }}
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+    - id: check-coverage
+      shell: bash
+      env:
+        WORKING_DIR: ${{ inputs.working-directory }}
+      run: test -f "$WORKING_DIR/codecov.json" && echo "exists=true" >> "$GITHUB_OUTPUT" || true
+
+    - if: ${{ steps.check-coverage.outputs.exists == 'true' }}
+      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
       with:
-        files: lcov.info
+        files: codecov.json
+        working-directory: ${{ inputs.working-directory }}
         fail_ci_if_error: false
         token: ${{ inputs.codecov-token }}
         verbose: true
+        flags: ${{ inputs.platform }}
@@ -2,9 +2,6 @@ name: Install NSS
 description: Install NSS
 
 inputs:
-  type:
-    description: "When building, whether to do a debug or release build of NSS"
-    default: "Release"
   minimum-version:
     description: "Minimum required version of NSS"
     required: true
@@ -17,16 +14,16 @@ runs:
   steps:
     - name: Install system NSS (Linux)
       shell: bash
-      if: ${{ runner.os == 'Linux' && runner.environment == 'github-hosted' && inputs.target == '' }}
+      if: ${{ runner.os == 'Linux' && inputs.target == '' && (runner.environment != 'self-hosted' || contains(runner.name, 'CodSpeed')) }}
       env:
         DEBIAN_FRONTEND: noninteractive
       run: |
         [ "$APT_UPDATED" ] || sudo apt-get update && echo "APT_UPDATED=1" >> "$GITHUB_ENV"
-        sudo apt-get install -y --no-install-recommends libnss3-dev pkg-config
+        sudo apt-get install -y --no-install-recommends libnss3-dev
 
     - name: Install system NSS (MacOS)
       shell: bash
-      if: ${{ runner.os == 'MacOS' && runner.environment == 'github-hosted' && inputs.target == '' }}
+      if: ${{ runner.os == 'MacOS' && inputs.target == '' }}
       run: |
         [ "$BREW_UPDATED" ] || brew update && echo "BREW_UPDATED=1" >> "$GITHUB_ENV"
         brew install nss
@@ -38,25 +35,9 @@ runs:
       shell: bash
       if: inputs.target == ''
       run: |
-        if ! command -v pkg-config &> /dev/null; then
-          echo "pkg-config: not found"
-          exit 0
-        fi
-        if ! pkg-config --exists nss; then
-          echo "pkg-config: NSS not found"
-          exit 0
-        fi
-        NSS_VERSION="$(pkg-config --modversion nss)"
-        if [ "$?" -ne 0 ]; then
-          echo "pkg-config: failed to determine NSS version"
-          exit 0
-        fi
-        NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1)
-        NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2)
-        REQ_NSS_MAJOR=$(echo "$MIN_VERSION" | cut -d. -f1)
-        REQ_NSS_MINOR=$(echo "$MIN_VERSION" | cut -d. -f2)
-        if [[ "$NSS_MAJOR" -lt "$REQ_NSS_MAJOR" || "$NSS_MAJOR" -eq "$REQ_NSS_MAJOR" && "$NSS_MINOR" -lt "$REQ_NSS_MINOR" ]]; then
-          echo "System NSS is too old: $NSS_VERSION"
+        if ! pkg-config --atleast-version "$MIN_VERSION" nss; then
+          echo -n "System NSS needs ${MIN_VERSION}, got "
+          pkg-config --modversion nss 2>/dev/null || echo "pkg-config error"
           exit 0
         fi
         echo "System NSS is suitable: $NSS_VERSION"
@@ -69,11 +50,11 @@ runs:
       #
       # Also, only enable sscache on our self-hosted runner, because the GitHub cache limit
       # is too small for this to be effective there.
-      if: ${{ env.SCCACHE_ENABLED != '1' && !steps.system_nss.outputs.suitable && runner.environment != 'github-hosted' }}
-      uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4
+      if: ${{ env.SCCACHE_ENABLED != '1' && !steps.system_nss.outputs.suitable && runner.environment == 'self-hosted' && !contains(runner.name, 'CodSpeed') }}
+      uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
     - name: Enable sscache
-      if: ${{ !steps.system_nss.outputs.suitable && runner.environment != 'github-hosted' }}
+      if: ${{ !steps.system_nss.outputs.suitable && runner.environment == 'self-hosted' && !contains(runner.name, 'CodSpeed') }}
       env:
         RUNNER_ENVIRONMENT: ${{ runner.environment }}
         RUNNER_OS: ${{ runner.os }}
@@ -87,54 +68,61 @@ runs:
         fi
         echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
         echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
-        if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then
-          echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
-        fi
+        echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
 
-    - name: Checkout NSS
+    - name: Retrieve NSS
+      id: nss
       if: ${{ !steps.system_nss.outputs.suitable }}
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        repository: nss-dev/nss
-        path: nss
-        persist-credentials: false
+      shell: bash
+      env:
+        NSS_VERSION: "3.120" # TODO: Bump this periodically; also in qns/Dockerfile. Trailing zeroes are stripped w/o quotes!
+      run: |
+        NSS_TAG="${NSS_VERSION//./_}"
+        NSS_URL="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${NSS_TAG}_RTM/src/nss-${NSS_VERSION}.tar.gz"
+        echo "Retrieving NSS $NSS_VERSION from $NSS_URL"
+        curl -L "$NSS_URL" | tar xz --strip-components=1
+        echo "version=$NSS_VERSION" >> "$GITHUB_OUTPUT"
 
     - name: Retrieve NSPR
       id: nspr
       if: ${{ !steps.system_nss.outputs.suitable }}
       shell: bash
       env:
-        NSPR_VERSION: 4.37 # This changes so rarely that we can hardcode it.
+        NSPR_VERSION: "4.38.2" # TODO: Bump this periodically; also in qns/Dockerfile. Trailing zeroes are stripped w/o quotes!
       run: |
-        curl -L https://ftp.mozilla.org/pub/nspr/releases/v$NSPR_VERSION/src/nspr-$NSPR_VERSION.tar.gz |
-          tar xz --strip-components=1
+        NSPR_URL="https://ftp.mozilla.org/pub/nspr/releases/v$NSPR_VERSION/src/nspr-$NSPR_VERSION.tar.gz"
+        echo "Retrieving NSPR $NSPR_VERSION from $NSPR_URL"
+        curl -L "$NSPR_URL" | tar xz --strip-components=1
         echo "version=$NSPR_VERSION" >> "$GITHUB_OUTPUT"
 
-    - name: Store NSS version
-      id: nss
-      if: ${{ !steps.system_nss.outputs.suitable }}
+    - name: Store Ubuntu release code name (Linux)
+      id: ubuntu_release
       shell: bash
+      if: ${{ runner.os == 'Linux' && !steps.system_nss.outputs.suitable }}
       run: |
-        NSS_HEAD=$(git -C nss rev-parse HEAD)
-        echo "version=$NSS_HEAD" >> "$GITHUB_OUTPUT"
-
-    - name: Cache NSS
+        # Store Ubuntu release codename for use in cache key.
+        . /etc/os-release
+        echo "codename=-$UBUNTU_CODENAME" >> "$GITHUB_OUTPUT"
+
+    # Use restore-only here so PRs don't create redundant caches. PRs restore
+    # from main; only main saves new caches. This reduces churn and evictions.
+    # Downside: PRs that change NSS version/build will rebuild on every CI run.
+    - name: Restore NSS cache
       id: cache
-      if: ${{ !steps.system_nss.outputs.suitable && runner.environment == 'github-hosted' }}
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      if: ${{ !steps.system_nss.outputs.suitable }}
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: dist
-        key: nss-${{ inputs.target && inputs.target || runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ steps.nss.outputs.version }}-${{ steps.nspr.outputs.version }}
+        key: nss-${{ inputs.target || runner.os }}${{ steps.ubuntu_release.outputs.codename }}-${{ runner.arch }}-${{ steps.nss.outputs.version }}-${{ steps.nspr.outputs.version }}
 
     - name: Check if build is needed
       id: check_build
       if: ${{ !steps.system_nss.outputs.suitable }}
       env:
         CACHE_HIT: ${{ steps.cache.outputs.cache-hit }}
-        RUNNER_ENVIRONMENT: ${{ runner.environment }}
       shell: bash
       run: |
-        if [ "$RUNNER_ENVIRONMENT" != "github-hosted" ] || [ ! "$CACHE_HIT" ]; then
+        if [ "$CACHE_HIT" != "true" ]; then
           echo "Building NSS from source"
           echo "build_nss=1" >> "$GITHUB_OUTPUT"
         else
@@ -143,7 +131,7 @@ runs:
 
     - name: Install build dependencies (Linux)
       shell: bash
-      if: ${{ runner.os == 'Linux' && steps.check_build.outputs.build_nss && runner.environment == 'github-hosted' }}
+      if: ${{ runner.os == 'Linux' && steps.check_build.outputs.build_nss && (runner.environment != 'self-hosted' || contains(runner.name, 'CodSpeed')) }}
       env:
         DEBIAN_FRONTEND: noninteractive
       run: sudo apt-get install -y --no-install-recommends gyp ninja-build
@@ -191,17 +179,14 @@ runs:
       shell: bash
       if: ${{ !steps.system_nss.outputs.suitable }}
       env:
-        NSS_TARGET: ${{ inputs.type }}
-        NSS_TYPE: ${{ inputs.type }}
         NSS_DIR: ${{ github.workspace }}/nss
         RUNNER_OS: ${{ runner.os }}
         WORKSPACE: ${{ github.workspace }}
       run: | # zizmor: ignore[github-env] We need to write to GITHUB_PATH on Windows.
-        NSS_OUT="$WORKSPACE/dist/$NSS_TARGET"
+        NSS_OUT="$WORKSPACE/dist/Release"
         {
           echo "LD_LIBRARY_PATH=$NSS_OUT/lib"
           echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib"
-          echo "NSS_TARGET=$NSS_TARGET"
           echo "NSS_DIR=$NSS_DIR"
           echo "NSS_PREBUILT=1"
         } >> "$GITHUB_ENV"
@@ -216,13 +201,10 @@ runs:
         TARGET_PLATFORM: ${{ inputs.target }}
         RUNNER_OS: ${{ runner.os }}
       run: |
-        if [ "$NSS_TARGET" != "Debug" ]; then
-          # We want to do an optimized build for accurate CPU profiling, but
-          # we also want debug symbols and frame pointers for that, which the normal optimized NSS
-          # build process doesn't provide.
-          OPT="-o"
-          [ "$RUNNER_OS" != "Windows" ] && export CFLAGS="-ggdb3 -fno-omit-frame-pointer"
-        fi
+        # We want to do an optimized build for accurate CPU profiling, but
+        # we also want debug symbols and frame pointers for that, which the normal optimized NSS
+        # build process doesn't provide.
+        [ "$RUNNER_OS" != "Windows" ] && export CFLAGS="-ggdb3 -fno-omit-frame-pointer"
         if [[ $TARGET_PLATFORM == *-android* ]]; then
           for file in build-nss-android.sh build-android-common.sh; do
             curl -o "$file" -sSf "https://raw.githubusercontent.com/mozilla/application-services/refs/tags/v137.0/libs/$file"
@@ -238,12 +220,12 @@ runs:
           find /tmp/tmp.* > tmp
           CERTUTIL="$(grep certutil tmp)"
           TARGET_DIR="$(dirname $(dirname $CERTUTIL))"
-          mkdir -p "dist/$NSS_TARGET"
-          cp -vaL "$TARGET_DIR"/* "dist/$NSS_TARGET/"
+          mkdir -p "dist/Release"
+          cp -vaL "$TARGET_DIR"/* "dist/Release/"
           NSPR_H="$(grep nspr.h tmp)"
           INCLUDE_DIR="$(dirname $NSPR_H)"
-          mkdir -p "dist/$NSS_TARGET/include/nspr"
-          cp -vaL "$INCLUDE_DIR"/* "dist/$NSS_TARGET/include/nspr"
+          mkdir -p "dist/Release/include/nspr"
+          cp -vaL "$INCLUDE_DIR"/* "dist/Release/include/nspr"
           CHACHA="$(grep chacha20poly1305.h tmp)"
           PRIVATE_DIR="$(dirname $(dirname $CHACHA))"
           mkdir -p "dist/private"
@@ -254,9 +236,16 @@ runs:
           cp -vaL "$PUBLIC_DIR"/* "dist/"
           LIBNSPR4="$(grep lib/libnspr4.a tmp)"
           LIB_DIR="$(dirname $LIBNSPR4)"
-          mkdir -p "dist/$NSS_TARGET/lib"
-          cp -vaL "$LIB_DIR"/* "dist/$NSS_TARGET/lib"
+          mkdir -p "dist/Release/lib"
+          cp -vaL "$LIB_DIR"/* "dist/Release/lib"
         else
           [ "$SCCACHE_CC" ] && [ "$SCCACHE_CXX" ] && export CC="$SCCACHE_CC" CXX="$SCCACHE_CXX"
-          $NSS_DIR/build.sh -g -Ddisable_tests=1 -Ddisable_dbm=1 -Ddisable_libpkix=1 -Ddisable_ckbi=1 -Ddisable_fips=1 $OPT --static
+          $NSS_DIR/build.sh -g -Ddisable_tests=1 -Ddisable_dbm=1 -Ddisable_libpkix=1 -Ddisable_ckbi=1 -Ddisable_fips=1 --opt --static
         fi
+
+    - name: Save NSS cache
+      if: ${{ steps.check_build.outputs.build_nss && github.event_name != 'pull_request' }}
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: dist
+        key: nss-${{ inputs.target || runner.os }}${{ steps.ubuntu_release.outputs.codename }}-${{ runner.arch }}-${{ steps.nss.outputs.version }}-${{ steps.nspr.outputs.version }}