- update `actions/checkout` from 6.0.1 to 6.0.2
- update `ruff` from 0.14.11 to 0.14.14
- update `cryptography` from 46.0.3 to 46.0.4
- update `psutil` from 7.2.1 to 7.2.2
- update `websockets` from 15.0.1 to 16.0
Closes#20490Closes#20491
Merging the two macOS jobs saves 4-5 minutes. The dropped iOS Ninja job
saves 0.5-1 minute. (Keep the two slow iOS jobs to maintain variation.)
Number of Apple jobs is 32 after this patch.
Also:
- skip building tests and example in iOS autotools to save 30-40s.
Closes#20467
It has been happening for a long time.
Example:
```
test 3001...[HTTPS localhost, last subject alt name matches, CN does not match]
3001: protocol FAILED!
There was no content at all in the file log/7/server.input.
Server glitch? Total curl failure? Returned: 56
== Contents of files in the log/7/ directory after test 3001
=== Start of file commands.log
../src/curl.exe -q --output log/7/curl3001.out --include --trace-ascii log/7/trace3001 --trace-time -4 --cacert ./certs/test-ca.crt https://localhost:64259/3001 > log/7/stdout3001 2> log/7/stderr3001
=== End of file commands.log
=== Start of file http_server.log
13:57:47.951283 Running HTTP IPv4 version on port 64256
=== End of file http_server.log
=== Start of file https_stunnel.log
2026.01.28 13:57:48 LOG5[ui]: stunnel 5.76 on x64-pc-mingw32-gnu platform
2026.01.28 13:57:48 LOG5[ui]: Compiled/running with OpenSSL 3.5.4 30 Sep 2025
[...]
2026.01.28 13:57:49 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:64281
2026.01.28 13:57:51 LOG3[0]: s_connect: connect 127.0.0.1:64256: Connection refused (WSAECONNREFUSED) (10061)
2026.01.28 13:57:51 LOG3[0]: No more addresses to connect
2026.01.28 13:57:51 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
=== End of file https_stunnel.log
=== Start of file server.cmd
Testnum 3001
=== End of file server.cmd
=== Start of file stderr3001
curl: (56) Recv failure: Connection was reset
=== End of file stderr3001
[...]
RUN: Unknown server on our https port: 64259 (56)
```
Ref: https://github.com/curl/curl/actions/runs/21440845836/job/61743268798?pr=20461Closes#20462
A cache entry created by windows-2022 is not picked up by
windows-11-arm. Also a cache created by windows-11-arm is not picked up
by windows-2022. Possibly related to this filed in 2025 June:
https://github.com/actions/cache/issues/1622. Also tried
`enableCrossOsArchive` to no avail. Unclear if these two runners count
as distinct operating systems, I'd guess not. Cache entries are
identical on the web UI. Via GH API they show up with the same cache key
bot different "version" (hash) and different sizes, possibly due to the
zstd vs. gzip bug above.
Fixing (identical error text on either runner):
```
Error: Failed to restore cache entry. Exiting as fail-on-cache-miss is set. Input key: Windows-stunnel-5.76-amd64
```
Also fix a silly typo in the shell value.
Follow-up to 0f54ca6150#20454Closes#20456
- set `CURL_DROP_UNUSED=ON` for Windows (MSVC) to make the analysis step
faster: 1m30s -> 1m15s
- enable `CURL_WERROR=ON` in all builds, to catch potential build issues
in addition to running CodeQL. To make these builds useful as regular
build tests too.
- add links to CodeQL Actions documentation.
- delete test data C files after checkout in an attempt to remove them
from CodeQL code coverage stats.
Closes#20418
Replace Chocolatey install with direct download and unpack. To reduce
CI dependencies (Chocolatey, NuGet), improve install performance
(10s -> 1s) and hopefully reliability. Last but not least to enable it
for the Cygwin CI job.
Caveats:
- Need to bump stunnel versions manually (2-3 times a year).
Renovate could likely do it, but I failed to understand its
documentation and miss tooling/interface to make tests.
- FIPS not enabled. (can be done if necessary)
- Possibly losing checksum verification (not sure if Chocolatey did it
automatically for this package.)
Also:
- Increase minimum tests by 100 for the Cygwin job.
Ref: #16819 (earlier attempt)
Ref: https://www.stunnel.org/archive/
Ref: https://www.githubstatus.com/incidents/cqb5hcy0gx18
Follow-up to d176f58a20#20413
Follow-up to 19b1e44660#20409Closes#20410
Bump CMake version in CMake integration tests for better performance
(8x on macOS, 2-3x on Windows) and native arm64 binaries.
- bump old CMake in integration tests to v3.19.8 (was: v3.11.4)
- switch to native arm64 CMake binaries on macOS.
- switch Linux CMake integration job to arm64.
Speed gains:
- Linux: 2m -> 1m30s
- macOS: 9-10m -> 1m15s
- Windows: 6-7m -> 2m43s
Before:
https://github.com/curl/curl/actions/runs/21255697172https://github.com/curl/curl/actions/runs/21255020621
After:
https://github.com/curl/curl/actions/runs/21272021446
With this, CI is:
- no longer testing deprecated CMake versions.
Follow-up to a7c974e038#19902
- not testing the next (from 2026 April) minimum 3.18, but going for
3.19 instead. For arm64 binaries on both macOS and Linux. There is
no 3.18-specific CMake code in curl.
Cherry-picked from #20407Closes#20408
- drop leading indent from Markdown.
- switch to Markdown section markers where missing.
- move `&&` and `||` to the end of the line (C, Perl).
- openssl: add parenthesis to an if sub-expression.
- misc clang-format nits.
- unfold Markdown links.
- SSL-PROBLEMS.md: drop stray half code-fence.
Closes#20402
To avoid unnecessarily installing Intel C for any `<pkg>-intel` locally
built dependency.
Follow-up to ab8ccaed24#20392
Follow-up to d9fe60d457#20248Closes#20400
To enable known linker options dropping unused, dead, code and data from
the executables built.
Useful to reduce binary sizes for curl, libcurl shared lib and apps
linking static libcurl. It's effective on both "unity" and non-unity
builds. Aligning "unity" build sizes with default, non-unity ones.
Supported platforms: Apple, MSVC, llvm/clang and GCC on all tested
platforms: Linux, BSDs, Windows, MSYS2/Cygwin, Android, MS-DOS.
Notes:
- Static libraries grow 20-30% with non-Apple toolchains.
This effect is controlled by separate, optional compiler flags on
non-Apple. This patch enables them automatically for public binaries
(libcurl and curl tool), and leaves them off for internal/test ones.
- MSVC enables this option by default for 'Release' configurations.
The curl build option has no effect on it.
- Observed effect on VS2010 is negligible. VS2012+ is recommended.
- Works with LTO, Fil-C.
- No observed/conclusive effect on build speed.
- On Windows with clang/gcc (mingw-w64/MSYS2/Cygwin) it also enables
`-fno-asynchronous-unwind-tables` as a workaround to make
the toolchain options actually work.
Ref: https://sourceware.org/bugzilla/show_bug.cgi?id=11539
Thanks-to: Andarwinux
Also:
- GHA: enable in Linux and MinGW jobs to test it. Size changes:
- linux aws-lc H3:
curl: 2000000 -> 1937152, libcurl.a: 2065724 -> 2716532 bytes
- macos clang HTTP-only:
curl: 1364376 -> 128799 bytes, libcurl.a: unchanged
- macos llvm MultiSSL:
curl: 410056 -> 405720, libcurl.dylib: 1350336 -> 1348480 bytes
- mingw schannel c-ares U:
curl: 1588736 -> 1507328, libcurl-d.a: 3322040 -> 3884746 bytes
bld: 34 -> 35MB
- GHA: enable in MSVC and Apple jobs to reduce disk footprint, with no
obvious downside. Size changes:
- AppVeyor CI VS2019:
curl: 2339840 -> 1295872, libcurl-d.dll: 3155968 -> 1900544 bytes
bld: 161 -> 97MB
- AppVeyor CI VS2022 clang-cl:
curl: 2933248 -> 2332160, libcurl-d.lib: 4762688 -> 5511330 bytes
bld: 133 -> 121MB
- AppVeyor CI VS2022 HTTP-only:
curl: 3514368 -> 2177024, libcurl-d.lib: 2538420 -> 3151740 bytes
bld: 137 -> 83MB
- GHA intel:
curl: 2629120 -> 2023424, libcurl-d.lib: 4366652 -> 5350670 bytes
bld: 86 -> 69MB
- GHA arm64:
curl: 2832896 -> 2063872, libcurl-d.lib: 4690616 -> 5597250 bytes
bld: 82 -> 66MB
Refs:
https://maskray.me/blog/2021-02-28-linker-garbage-collectionhttps://web.archive.org/web/20110811230637/msdn.microsoft.com/en-us/library/bxwfs976.aspx (VS2010)
https://learn.microsoft.com/cpp/build/reference/opt-optimizationshttps://learn.microsoft.com/cpp/build/reference/gy-enable-function-level-linkingCloses#20357
Unstripped size hides effective binary sizes due to the added debug
information. E.g. `--gc-sections` may inflate unstripped binaries, while
their unstripped size decreases. To see if binary size optimization
options work, it's more useful to observe unstripped size.
Ref: #20357
Follow-up to 4cf43508e8#20355Closes#20359
- schannel: fix mixed-up declaration. (originally fenced infof for
verbose, then changed to failf with the fence kept, then fence
removed and variable marked as verbose, when in fact it's not, but
not tested and caught in CI.
- fix two other fallouts.
- GHA/windows: disable verbose strings in a mingw job.
- appveyor: disable verbose strings in an MSVC job.
- appveyor: add way to pass any CMake option per-job.
Cherry-picked from #20387
Follow-up to 61093e2a81#20353Closes#20388
When the compiler supports C99.
- map logging functions to macro stubs when verbose logging is disabled
and the compiler is C99. Make sure these stubs silence unused variable
warnings for non-variadic arguments.
Before this patch they mapped to function stubs, the same codepath
used for C89 compiler in this configuration.
- introduce new macros to tell the compiler which code to include
when verbose code is active, or inactive:
- `CURLVERBOSE`: defined when verbose code is active.
To enclose blocks of code only used for verbose logging.
- `VERBOSE(statement);`:
compile statement when verbose code is active.
To mark code lines only used for verbose logging.
- `NOVERBOSE(statement);`:
compile statement when verbose code is inactive.
To suppress warnings for arguments passed to logging functions via
printf masks, e.g. `NOVERBOSE((void)ipaddress);`, yet keeping
the warning in verbose builds.
Note these macros are not the same as `CURL_DISABLE_VERBOSE_STRINGS`.
Verbose code is always active in C89 mode (without variadic macro
support).
- drop existing uses of `CURL_DISABLE_VERBOSE_STRINGS` where redundant,
or replace with the above macros. Ending up reducing the number of
`#ifdef`s, and also the number of lines.
Assisted-by: Daniel Stenberg
Assisted-by: Jay Satiro
Reported-by: Dan Fandrich
Fixes#20341
Refs: #12105#12167Closes#20353
- `stdbool.h` is also included via system headers. Disabling it from curl
does not fix it. Silencing lots of these:
```
curl/lib/curlx/warnless.h:64:1: warning: '_Bool' is a C99 extension [-Wc99-extensions]
64 | bool curlx_sztouz(ssize_t sznum, size_t *puznum);
| ^
/Library/Developer/CommandLineTools/usr/lib/clang/17/include/stdbool.h:24:14: note: expanded from macro 'bool'
24 | #define bool _Bool
| ^
```
- silence `-Wcomma` warnings.
in favor of the global silencing approach, since a couple of more of
these were hit (in vquic, tool1622, unit1309, unit1636), and it seems
silly to update them all.
Revert e8189c4420#20362
Also:
- cmake: include C standard in 'platform flags' log line.
- GHA/macos: switch a job to C89 to verify.
- GHA/linux: show 'C89' in job names.
Ref: https://cmake.org/cmake/help/v3.7/variable/CMAKE_C_STANDARD.htmlCloses#20363
Drop separate `TrackMemory` (aka `CURLDEBUG`) debug feature.
After recent changes (thread-safety,
193cb00ce9, and updates leading up to
it), `TrackMemory` is unlikely to cause build or runtime issues.
To simplify builds and debug options, enable `TrackMemory`
unconditionally for debug-enabled (aka `DEBUGBUILD`) builds. Before
this patch, this was already the default, with an option to disable
it, or enable it in non-debug-enabled builds.
Note, in practice these two debug options already went hand in hand. It
was not possible to toggle them separately for a long time due to bugs,
before 59dc9f7e69 (2024-05-28) fixed it.
This patch also removes/deprecates separate knobs and feature flags for
`TrackMemory`:
- autotools: `--enable-curldebug`/`--disable-curldebug`
- cmake: `-DENABLE_CURLDEBUG=ON`/`OFF`
- C macro: `CURLDEBUG`
- libcurl: `CURL_VERSION_CURLDEBUG` symbol deprecated in favor
of `CURL_VERSION_DEBUG`. They always return the same value after this
patch.
Also:
- drop `TrackMemory` from `curl -V` output.
- rename internal `CURLDEBUG` macro to `CURL_MEMDEBUG` internally.
To avoid confusion with `DEBUGBUILD`, but to keep guarding
`TrackMemory`-related internals for readability.
- runtests: bind `TrackMemory` to debug feature. Keep it a separate
test feature requirement, for clarity.
- CI: drop test builds for combinations of the two options.
- GHA/linux: no longer disable TrackMemory in the TSAN job.
Ref: https://github.com/curl/curl/pull/20328#issuecomment-3754528407Closes#20331
- It is slower and uses more memory than the alternatives and is only
experimental in curl.
- We disable a few tests for OpenSSL-QUIC because of flakiness
- It gets little attention from OpenSSL and we have no expectation of the
major flaws getting corrected anytime soon.
- No one has spoken up for keeping it
- curl users building with vanilla OpenSSL can still use QUIC through the
means of ngtcp2
Closes#20226
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.
To enable:
- autotools: `--enable-ca-native`
- cmake: `-DCURL_CA_NATIVE=ON`
- CPPFLAGS: `-DCURL_CA_NATIVE`
When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
Equivalent to `--disable-ca-search` with autotools,
`-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
and/or `--no-proxy-ca-native` command-line options.
Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
to access HTTPS (and other TLS) URLs. This is traditionally difficult
on Windows because there is no concept of a universal, protected,
non-world-writable, location on the file system to securely store
a CA bundle.
- allows using modern features regardless of Windows version. Some of
these features are not supported with Schannel (e.g. HTTP/3, ECH) on
any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
possible with Schannel, because MultiSSL is not an option, and HTTP/3
is not supported with Schannel.
Ref: #16181 (previous attempt)
Ref: https://github.com/curl/curl/discussions/9348
Ref: https://github.com/curl/curl/issues/9350
Ref: https://github.com/curl/curl/pull/13111
Ref: https://github.com/microsoft/vcpkg/pull/46459#issuecomment-3162068701
Ref: 22652a5a4c#14582
Ref: eefd03c572#18703Closes#18279
After this patch curl requires targeting Vista or newer, and a toolchain
with Vista support.
Supported MSVC compilers (VS2010+) all support Vista:
- VS2012+ target Win8 (or later) by default.
- VS2010 targets Win7 by default.
Supported mingw-w64 versions (v3+) all support Vista:
- mingw-w64 v9+ target Win10 by default.
- mingw-w64 v8 and older target Server 2003 (~XP) by default.
After this patch it may be necessary to override the default Windows
target version to Vista (or newer) via:
autotools: `CPPFLAGS=-D_WIN32_WINNT=0x0600`
cmake: `-DCURL_TARGET_WINDOWS_VERSION=0x0600`
- mingw-w64 v6+ allow changing the default at toolchain build-time.
Notes:
- For non-MSVC, non-mingw-w64 toolchains, `if_nametoindex` needs to be
allowlisted in `curl_setup.h`, if they do support it.
Fixes#17985 (discussion)
Closes#18009
- MSYS2/Cygwin bash shells are now tagged "misfeature".
It is not something we can fix. We need these shells, and using
documented/necessary settings to use these environments should be
allowed without workarounds.
- untagged actions within curl's own organization are now also flagged
as "action is not pinned to a hash (required by blanket policy)". This
seems overkill. Making internal releases would not be helpful or
practical. Also considering that the referred internal action uses an
unpinned external action anyway (google/oss-fuzz/infra/cifuzz), with
near-zero chance to fix.
Ref: https://github.com/zizmorcore/zizmor/pull/1517#issuecomment-3759740853Closes#20339
- update `ruff` from 0.14.10 to 0.14.11
- update `filelock` from 3.20.1 to 3.20.3 (CVE-2026-22701) (used in pytests)
- update `psutil` from 7.2.0 to 7.2.1
Closes#20300
To simplify the directory layout.
- OS400 and vms support move from `packages` to `projects`.
- Windows README and `generate.bat` files move from `projects`
to `projects/Windows`.
Closes#20271
To run checksrc and spacecheck on the source tree. Also for cmake
to sync up with autotools' `checksrc` target.
- cmake: `curl-lint`
With `-DCURL_LINT=ON`, checks run automatically for all targets.
- autotools: `lint`
Closes#20175
Turns out in practice the internal cache name contains the arch where it
matters (arm or dual-arch local builds), which is part of the cache key
string. Drop `runner.arch` to avoid two arch strings in the key.
Cache keys without an explicit arch designator mean intel.
Revert ff78af5752#20234Closes#20249
`mbedtls-arm` and `mbedtls-prev` were matching `contains()` expressions
looking for `mbedtls`. It caused an unnecessary cache restore and an
redundant mbedtls build on bumps, and made the build flavors require
different local directory names to avoid this accidental collision.
Also drop `-threadsafe` from internal names. All local builds are.
Follow-up to 8806035344#20240
Follow-up to 3a305831d1#19077Closes#20248
All libresll jobs, wolfssl-all, and one mbedtls job.
As noted earlier, arm jobs run faster than intel ones, especially
valgrind steps that run almost twice as fast. Package install runs
slower, but this is offset by faster build and test steps, even in
non-valgrind jobs.
Follow-up to ff78af5752#20234
Follow-up to 2b0d8dcc16#20231Closes#20246
`libressl-filc` was matching `contains()` expressions looking for
`libressl`, causing build confusion and failure in specific cases.
Rename `libressl` to `libressl-c` to avoid this. Also rename the cache
id for consistency, though not necessary for the fix.
Bug: https://github.com/curl/curl/actions/runs/20860412340/job/59938315276
Follow-up to c262481873#19407
Cherry-picked from #20234Closes#20240
More cost-effective and seems as fast or faster than Intel.
In particular, valgrind seems to be almost 2x fast. So fast the job pair
could fit under 10 minutes if merged again (but would be the longest in
GHA/Linux.)
Installing packages is slightly slower. The package repo is Ubuntu's
which is slower than the Azure mirror used on Intel (unless Azure is
broken, which happened a lot last year).
To add to more jobs, the locally built deps also need to be migrated.
Also:
- add workaround for failing sshd server on Linux arm runners, caused by
world-writable `HOME` directory.
Closes#20231
To:
- see if build tool makes a difference for flaky 8x pytest slowdowns.
- to make this job finished faster.
`curl -V`, number of runtests (1793) and pytests (568/159) verified
to remain the same.
Closes#20211
For `PRI*` printf masks for fixed-size C99 types.
Also:
- add simple fallback for `PRIu32`, `PRIx32`, if `inttypes.h` is
missing.
Cherry-picked from #20200
Ref: #20207
Follow-up to 4701a6d2ae#19695
Ref: 60359ad504#12275Closes#20208
Number of jobs down to 34 (from 56 at end of last year.)
Out of them 7 autotools (was 24 at end of last year.)
Also:
- stop install brew packages preinstalled.
- make some dependency options explicit.
Closes#20203
To save 0.5 to 3 minutes per job.
There remain 7 main autotools jobs, plus 1 in combinations and 1 more
for iOS.
Also:
- fix to disable MQTT, WebSockets, IPFS in HTTP-only job.
Closes#20193
To reduce the number of jobs, and the time spent running macos runners.
The curl codebase has just a few Apple-specific parts, and they remain
well-covered after this patch.
Makes the number of jobs 24, down from 32.
Perhaps more jobs could be merged or dropped, and CPU use reduced by
moving some to cmake. Unique, but not Apple-specific jobs may also be
moved to Linux.
Follow-up to b869932392#20178Closes#20187
- drop autotools (except one) from combination jobs.
They seem to add little value over cmake ones, yet take a lot of time
even after restricting them to shared libs.
20-25s to install autotools via Homebrew, for each 11 jobs. autoreconf
taking 10s, configure 25s, build 30-35s. A total of 1m30s to 1m45s per
job. Sometimes jumping up to 2-4 minutes.
Compare this to 20-25s total job times with cmake.
Keep one job with an indentical cmake pair to help detecting
build-tool-specific fallouts.
- drop more combination jobs.
To avoid overlap with main build jobs.
Reducing number of jobs to 9, from 22 (-13),
total job time to 5.5 minutes, from 25 (-20m).
Before: https://github.com/curl/curl/actions/runs/20637652089
After: https://github.com/curl/curl/actions/runs/20686390641?pr=20178
Considering the small amount of Apple-specific code in curl since
dropping Secure Transport, and that most combination issue were in
the toolchains, not curl, there is likely more room to avoid wasting
cycles (at 41 macOS + 3 iOS jobs after this patch).
Follow-up to d057b705fd#20167Closes#20178
It also means that now all torture test-pairs use the same shallowness,
while earlier FTP used 20.
Also:
- This made macOS torture jobs slow enough to split them into 3 jobs.
Follow-up to 2cbcde90e7#20153Closes#20172
From 15 to 10 minutes.
To reduce the idle wait for hung jobs from 20 to 15 minutes (hopefully),
so that the failed just can be restarted manually eariler. It appears
that GitHub Actions notices a hung job 5 minutes past the workflow
timeout (reason undiscovered).
Also: Leave extra time for torture and arm64 jobs.
Closes#20170
To avoid building libcurl in both static and shared flavor by default.
It results in 1.5-2.x speed-up for the curl build step in most jobs.
Saving a total of 6-7 minutes. In the Cygwin job alone it saves 1-1.5m.
Also:
- enable static + shared in a Windows job to keep testing this combo.
Follow-up to ff958fc4b2#20159Closes#20167
To make CI turnaround time shorter, by cutting the longest running jobs.
After this patch all jobs should finish around 10-11 minutes. Down from
15-16 minutes before this patch.
Suggested-by: Stefan Eissing
The fuzzing workflow is now the slowest (with a 7-minute startup time
needed to build deps from source on each run), followed by macOS
and Windows torture tests (both split in two now). Without fuzzing, it's
under 10 minutes.
Notes:
- an extra cost with job-pairs is installing prereqs,
configuring/building curl and tests twice. GitHub doesn't support
making a matrix job a prereq for another workflow that may fix this:
https://github.com/orgs/community/discussions/42335
This overhead is significant on Windows: 11m20 -> 9m20 + 8m40
- job-pairs are annoying to maintain and keep in sync.
- splitting tests into halves is a manual process and needs to be
revisited from time to time. Possibly something to automate with
a runtests option, e.g. with `1 of 50%` and `2 of 50%`?
Also:
- split torture tests in two equal pieces, replacing the `FTP` + `!FTP`
split used earlier.
Related perf improvements from today:
- make scan-build 2x fast:
ff958fc4b2#20159
- drop build-only Testi386 fuzz workflow (from curl), saving 9m per run:
0106023c1fhttps://github.com/curl/curl-fuzzer/pull/236Closes#20153
To make the longest running FreeBSD job finish 1.5 minutes faster
(9.5m -> 8m).
Examples are still built with both autotools and cmake, one on Intel and
one on ARM.
Closes#20146
- update `github/codeql-action` from 4.31.8 to 4.31.9
- update `cross-platform-actions/action` from 0.30.0 to 0.32.0
- support for OmniOS and FreeBSD 15.0
- releases are now immutable
Closes#20140
Tailored for each job with a relatively tight limits. Also with no
tolerance in valgrind tests: 4 of the 4 has to be run.
Based on Test Clutch feature matrix which displays the minimum and
actual number of tests:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- runtests.pl: include total number of tests in the error message shown
when the limit was not met.
Assisted-by: Dan Fandrich
Follow-up to 3f1cd809ee#19942Closes#20050
Also:
- vquic-tls.h: do not include unused headers for non-H3 builds.
- autotools: stop looking for `openssl/x509.h` header.
- cmp-config.pl: delete exception for `openssl/x509.h`.
- examples: format/comment sync between the two touched files.
- openssl: drop unused `curlx/wait.h` include.
Closes#20049
- update `filelock` from 3.20.0 to 3.20.1 (CVE-2025-68146) (used in pytests)
- update `pytest` from 9.0.1 to 9.0.2
- update `ruff` from 0.14.8 to 0.14.9
Closes#20004
- lib: delete two unused `<sys/un.h>` includes.
- lib: drop interim macro `WIN32_SOCKADDR_UN`.
Follow-up to 0fe9018e1a#7737
Also fixing a potential issue of leaving unix socket support disabled
if any header would include Windows' `afunix.h`, and define
`UNIX_PATH_MAX` on its own.
- connect: honor unix socket disable option.
- connect: simplify unix socket PP condition.
`USE_UNIX_SOCKETS` already means the necessary header/type are
available, guaranteed by configure. `AF_UNIX` is already used
elsewhere in the code without explicit checks.
- curl_setup.h: document availability of `afunix.h` on Windows more.
It requires mingw-w64 10+ or MS SDK 10.17763.0 VS2017 15.8+.
- curl_setup.h: use `afunix.h` with mingw-w64 v10+ to start avoiding
the local workaround if possible.
- GHA/windows: test disable unix socket option on Windows.
Ref: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/Closes#19989
To run more pytest sshd tests, and for more static analysis.
Also:
- drop redundant option from `openssl libssh2 ...` config.
- GHA/linux: enable pytest in the LTO job (to test libssh2).
- avoid both with local builds of OpenSSL-forks, due to crypto lib
mixups causing a mixture of build error, crashes, test failures.
Follow-up to eb39fee40b#19934Closes#19943
To formalize they are now XML-compliant (with some asterisks.)
Also to help syntax highlighters work on them to make their content more
readable.
Also:
- Delete empty comment decorations.
- GHA/checksrc: simplify XML check.
- runtests: fail to load test data with XML prolog missing.
Follow-up to bfe6eb1c06#19927
Follow-up to 87ba80a6dfCloses#19946
- cmake: automatically disable typecheck when running clang-tidy,
to avoid possible interference, and to improve performance.
- INSTALL-CMAKE: document both this, and unity=off for clang-tidy.
- GHA/linux: disable for some static analyzers CI jobs to avoid possible
interference.
- GHA/linux: disable in Fil-C job to improve build performance.
Follow-up to 9e6f1c5efb#19637
Follow-up to fd2ca2399e#17955Closes#19941
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- GHA: set minimums.
Assisted-by: Dan Fandrich
Follow-up to f2a75a14dd
Follow-up to bb1391f943#19510Closes#19942
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
Closes#19936
Nothing conclusive for the last ~30 days when `taskkill` was made
a no-op. Jobs remained flaky with all known failure modes. Sometimes
they finish green on the first run, sometimes they fail. Hard to say
more without comparing detailed stats for this period and the
preceding (or upcoming) one.
In almost all runs, the PID to be killed did not exist at the time of
check.
Follow-up to 2701ac6a4d#19421Closes#19897
To make the test files XML-compliant, and the expected results
possibly easier to manage by keeping them in `.md`, `.html`, `.1`
and `.txt` files.
Non-XML-compliant files are down to 31 (1.6%) after this patch.
Closes#19882
With Schannel and Unicode, `-shallow=13`. It finishes in 12 minutes,
making it the slowest Windows job. It's still on par with torture jobs
on other platforms (though they manage to fit `-shallow=25`).
Also `-shallow=13` still caught leaks in multiple tests.
Also:
- test2300: exclude from CI Windows torture tests.
- experimental.
The downside of going with deeper torture tests, is that it requires
increasing the job timeout. This in turns means that a hung job takes
more minutes to be killed (due to GitHub bugs where a hung step does not
honor the per-step timeout on Windows, another bug where a hung job gets
killed +5 minutes above the workflow timeout, and another bug (or
feature?) where other failed/hung jobs in the the workflow cannot be
restarted till the last job finishes or gets killed. And all this
probably related to a Perl bug which makes it hang on fork errors, which
is turn related to Cygwin/MSYS2 runtime bugs which breaks fork in case
of curl's mixed MSYS2-Perl/native-curl-binaries environment.)
The end result in longer forced waits before being able to restart flaky
jobs, which slows down iterations and annoying.
Also tried:
- non-c-ares job: detected known issues much less often.
- replaced libidn2 with WinIDN: detected known issues much less often.
- runtests -j9-j20 values: did not make a difference.
- other `-shallow` values: 20 is the max feasible, but comes with the
downside described above.
Ref: #19675 (reboot of)
Follow-up to f08417c425#19863Closes#19865
- URLs specified outside of the markdown []() are now extracted and
checked
- also check TODO, FAQ and KNOWN_BUGS
- more aggressive avoiding to check github.com/curl/curl, all uses of
example domains and some more established URLs on the curl.se site
- list all errors in the end to make them easier to spot in CI logs
Closes#19848
To reduce to amount of Debian packages to install, which hopefully
removes some flakiness due to sometimes very slow Azure package
distro servers. Possible also making these jobs finish 20s faster.
Windows from Debian | llvm | gcc
:------------------ | :----------------: | :----------------:
build time | 2m41s -> 2m20s | 3m19s -> 2m57s
installed packages | 288 -> 142 | 247 -> 99
downloads | 403 MB -> 240 MB | 297 MB -> 134 MB
disk space | 2132 MB -> 1289 MB | 1582 MB -> 739 MB
Before: https://github.com/curl/curl/actions/runs/19765983026
After: https://github.com/curl/curl/actions/runs/19766373960?pr=19749
Ref: 02149b7e36Closes#19749
Install CMake from the Kitware GitHub release archive. To allow choosing
its version independently from the OS.
Switch to 3.7.0 (from 3.7.2) to test the earliest supported version.
Also tested OK with 3.18.4 and 3.7.2.
The download and install step takes 1-2 seconds.
Follow-up to c9e50e9e39#19737Closes#19738
GnuTLS 3.8.11 started requiring a nettle version new enough to be
missing from Ubuntu LTS released a year ago. To keep up testing it,
build nettle from source. Besides the necessary one time effort this
has the downside that nettle updates now need to be done manually
a couple of times per year when renovate detects one. (if I got the
renovate formula correct to catch the tag format).
Also:
- switch the local GnuTLS build to use the release tarball instead of
the Git repo and calling the script `bootstrap`. The script could
potentially download source code using the cleartext `git:` protocol.
It's also downloading lots of content, including a full OpenSSL repo.
Ref: 955f7a7fc2/NEWS (L41-L44)
Follow-up to 905b718de3#19642
Follow-up to a439fc0e37#19613Closes#19680
Also:
- memdebug: fix symbol collision in unity builds.
- memdebug: fix compiler warning by making a variable static.
Follow-up to c77bed81a2#19657Closes#19666
This reverts commit a439fc0e37.
It requires a version of libnettle that is not included in these Ubuntu
versions: "Libnettle 3.10 was not found"
Closes#19642
Usage:
- autotools: `--disable-typecheck` (or `--enable-typecheck` (default))
- cmake: `-DCURL_DISABLE_TYPECHECK=ON`.
To disable `curl_easy_setopt()`/`curl_easy_getinfo()` type checking with
supported (new) gcc and clang compilers. It is useful to improve build
performance for the `tests/libtest` target. In particular the CodeQL
analyzer may take above an hour to compile with type checking enabled,
and disabling it brings it down to seconds. On local machines it may
also cut build times in half when build testdeps, depending on platform
and compiler.
Other than these cases, we recommend leaving type checking enabled.
Ref: fdacf34aae#19632
Also:
- GHA/codeql: use it.
- test1165: check in `include/curl`.
- lib1912: delete stray todo comment.
- spelling and comment nits.
Closes#19637
macOS was chosen because xmllint comes preinstalled, saving the prereq
install step. But, macOS's xmllint jobs sometimes doesn't finish in 1m
(instead of under 1 second) and gets cancelled, causing flaky failures.
Go with Linux and an install phase (of 15s) instead.
Examples:
https://github.com/curl/curl/actions/runs/19558021722/job/56004334495Closes#19634
Turns out the cause of CodeQL hangs (or probably just extreme long
compile) is the header `curl/typecheck-gcc.h`. By accident I noticed
that the preprocessed output of libtests.c is 75 MB (megabytes). This
is much higher than the amounf of source code hinted, also compared to
e.g. units.c or other build targets. The reason for the extreme size
is each easy option call pulling in the large checker logic defined
in this header.
By compiling with `-DCURL_DISABLE_TYPECHECK`, preprocessed output drops
to 2.2 MB (34x), and the libtests target builds without issues.
Also build all tests and examples with the Linux HTTP/3 config, covering
3 more files.
With these, CodeQL C coverage is 893 out of 930 (96%) (was: 645 69%)
Follow-up to 71fc11e6bb#18695
Follow-up to a333fd4411#18557
Follow-up to b4922b1295#18564
Closes https://github.com/vszakats/curl/pull/11Closes#19632
Only the `test-ci` build target sets `--buildinfo` automatically,
since 985f39c0ce. It needs to be set
manually for other targets used in CI, such as `test-torture`,
to enable the `buildinfo.txt` dump in the runtests step.
For Test Clutch. In an attempt to re-sync `targetarch` with the rest of
macOS jobs on the feature matrix page:
https://testclutch.curl.se/static/reports/feature-matrix.html
Before this patch and possibly since the breaking update It's `aarch64e`
for torture jobs and `aarch64` for the rest
(stricly speaking `aarch64e` is the correct value for all macOS jobs, but
autotools and cmake report arm64/aarch64 without the `e`.)
Regression from 985f39c0ce#18147Closes#19601
