To silence zizmor 1.16.0 warnings.
Also:
- http3-linux: replace hard-coded workflow name with variable.
Follow-up to a8174176b5#13841
- codeql: set `cancel-in-progress: true`.
zizmor apparently does not allow `false` in pedantic mode anymore:
https://github.com/zizmorcore/zizmor/pull/1227
- codeql: sync concurrency setting with the rest of the jobs.
(I'm not sure this is correct, or why it was previously special-cased.)
Expressions used (before and after this patch):
- `group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}`
for GHA/appveyor-status.
- `group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}`
for all the rest.
Ref: https://github.com/curl/curl/actions/runs/18776245057/job/53571438139?pr=19209Closes#19215
The kerberos5 library Heimdal is one of three GSS libraries curl support.
It has a memory leak triggered by the new test in #18917 and the project
seems mostly abandoned.
Drop support and steer users to the MIT krb5 or GNU GSS libraries.
Co-authored-by: Daniel Stenberg
Ref: #18928Closes#18928Closes#18932
- cryptography from 44.0.1 to 46.0.2 in tests/http
- ruff from 0.13.2 to 0.14.0 in .github/scripts
- reuse from 6.0.0 to 6.1.2 in .github/scripts
- github/codeql-action from 3.30.5 to 4.30.7
Closes#18941Closes#18942Closes#18943Closes#18945Closes#18947
For a complete, online, check.
After this patch the check takes 30s, up from a fraction of a second.
Also bump CodeQL actions to their latest version.
Closes#18827
To test it in GHA and catch issues at PR time. Before this patch,
Circle CI caught them after pushing to master (or non-fork PR
branches.) GHA also run runtests, pytests and static analysis on
these builds, after this patch.
- GHA/linux: enable no-verbose in an existing job.
- GHA/linux: enable no-verbose in the H3 scan-build job too.
- GHA/macos: enable no-verbose in one build (= 3 jobs with different
compilers).
- GHA/codeql: enable no-verbose in the MultiSSL Linux build.
- circleci: delete openssl no-verbose job in favor of the above.
Closes#18797
In an attempt to make `brew install` commands initialize faster.
Often this command started with 20-50 seconds of delay before this
patch. This is an attempt to make it launch faster.
Cherry-picked from #18736
This is an effort to pass more code through clang-tidt and scan-build
static analyzers. Following CodeQL Linux jobs.
GHA/codeql:
- also build with libssh.
- disable verbose output in build steps.
GHA/linux:
- enable more build options for the clang-tidy and scan-build jobs:
libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls,
mbedtls, wolfssl
Use Linuxbrew where necessary.
- also enable ECH, gssapi in the scan-build job.
- fix 'scanbuild' to be 'scan-build' in the job name.
GHA/macos:
- build with Rustls in the clang-tidy job.
- add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2).
- build with libssh in one of the clang-tidy jobs.
- build with LibreSSL in the MultiSSL clang-tidy job.
- build with heimdal and kerberos in the clang-tidy jobs respectively.
- build with OpenLDAP in one clang-tidy job.
- add support for `skipall`, `skiprun` job options, and use it.
Closes#18660
- add HTTP/3 build with OpenSSL 3.5, nghttp3 and ngtcp2.
- enable GSASL, Heimdal, rtmp, SSLS-export.
- make one build MultiSSL with GnuTLS, mbedTLS, Rustls, wolfSSL.
- build servers (also on Windows), and tunits.
- use Linuxbrew to install build dependencies missing from Ubuntu.
Coverage is now 466 C files. (was: 446)
Closes#18557
