This hides a bunch of mess underlying `cargo update -Z direct-minimal-versions`:
mainly the ability to exclude workspace crates with publish=false from
version resolution (`--ignore-private` flag).
Of `-Z minimal-versions` it is said:
> Note: It is not recommended to use this feature. Because it enforces minimal
> versions for all transitive dependencies, its usefulness is limited since not
> all external dependencies declare proper lower version bounds.
`-Z direct-minimal-versions` appears to be its replacement, which means our
CI is checking things only within our control.
Provide shims for limited number of places where ring 0.17 and
aws-lc-rs (ring 0.16-era) APIs have diverged. This is a
short-term fix, as they are likely to diverge more over time.
Eventually we'll have to stop sharing the code like this.
For unit-like tests, export a `test_provider` alias that resolves
to a provider module, for use in these tests.
This resolves to:
- *ring* if cfg(feature = "ring"), else
- aws-lc-rs if cfg(feature = "aws_lc_rs"), else
- is absent
Add Bug report, Feature request, and Dependency update issue templates to help prompt users into providing the information that will get them the best help.
As of cargo-check-external-types v0.1.9 the tool can read its
configuration from the crate `Cargo.toml` metadata, removing the need
for a standalone TOML file and the `--config` arg. This commit switches
to that style of configuration.
This needs nightly, which is affixed as the version documneted as working by
cargo-check-external-types.
external-types.toml is a config file as a starting point: it allows all types from
pki-types.
This currently fails due to some `impl From<ExternalType>` on public types.
Running `cargo hack check --locked --feature-powerset` seems to be
failing, as it detects that the lockfile needs to be updated. Updating
the lockfile and re-running causes the same error. It looks as though
it is removing items from the lockfile based on which features it's
testing.
To prevent this test from failing, let's remove `--locked` and test the
feature powerset with relaxed handling of the `Cargo.lock` file.
Now that we're checking in `Cargo.lock` files we'll be getting more
Dependabot PRs for semver compatible Cargo dependency updates. This
commit switches the tool to run weekly instead of daily so that we don't
have to spend as much time triaging these on a day-by-day basis.
This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.
This is intended to be minimalistic, and not a complete replacement
for *ring*.
It implements:
- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.
This means it can fetch www.rust-lang.org.
TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
Test the feature powerset of the crate using `cargo hack`. The runtime
of this is too large to use as part of the regular CI flow but it is
helpful for catching feature interaction breakages.
This better separates the connection tests from the example binary smoke
tests. In a subsequent commit we will add another job for running `cargo
hack`.
We are gradually adding other CI task here that aren't appropriate for
the main CI runs. Since it's no longer dedicated to just running the
connection tests we need a more representative name.
Since v4 of the `actions/setup-go` action, caching is enabled by default
and when a `go.sum` can't be found in the root of the project, a warning
is logged.
Since we don't have a `go.sum` in the project root, this warning was
being issued by both tasks that used the `setup-go` action:
* The BoGo test suite task
* The code coverage task
For the first of these, caching is disabled to avoid the warning - we
weren't benefiting from this to begin with and setting
`cache-dependency-path` to `bogo/bogo/go.sum` or `bogo/go.sum` wasn't
working.
For the second of these, it's not clear _why_ we were installing the Go
toolchain. The BoGo test suite is not being run by this task and so Go
is not required. Removing it fixes the warning.
MSRV is important (an tested separately) for the core crate
(and its dependencies) but doesn't apply to test code.
Run these daily to notice any breakage earlier.
This commit updates the `build.yml` GitHub actions workflow to
additionally include a step that checks semver compatibility w/
cargo-semver-checks[0].
Notably this check passing is necessary but not sufficient for knowing
that we're maintaining semver: if this tool produces a finding we know
we aren't matching semver, but if it doesn't, we may still be breaking
semver in a way the tool can't detect.
[0]: https://github.com/obi1kenobi/cargo-semver-checks
This commit adds `merge_group` to our CI task `on` triggers in
preparation for enabling the merge queue feature.
Per the GitHub docs[0]:
> You must use the merge_group event to trigger your GitHub Actions
> workflow when a pull request is added to a merge queue.
>
> Note: If your repository uses GitHub Actions to perform required
> checks on pull requests in your repository, you need to update the
> workflows to include the merge_group event as an additional trigger.
> Otherwise, status checks will not be triggered when you add a pull
> request to a merge queue. The merge will fail as the required status
> check will not be reported. The merge_group event is separate from the
> pull_request and push events.
[0]: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue
This commit adds a CI task that uses `cross` to cross-compile Rustls for
the 32bit `i686-unknown-linux-gnu` target. This can be used as
a smoke-test that we haven't broken 32bit compat. Unfortunately GitHub
doesn't offer 32bit action runners so we have to cross-compile to
achieve this test.
To install `cross` this commit relies on `install-action`[0]. This is
a new 3rd party action for the Rustls repo, but one that was already
being used in `webpki` for `llvm-cov` and `cargo deny`. If we'd prefer
to avoid that workflow dependency we could instead `cargo install cross`
at the cost of having to use nightly rust and longer CI execution time.
[0]: https://github.com/taiki-e/install-action
We want to catch breakages in these client examples when they occur, but
also don't want to run them during normal CI since they connect to
external hosts and may occasionally flake.
This commit adds `simpleclient`, `limitedclient`, and
`simple_0rtt_client` test runs to the `connect-tests.yml` CI
configuration we run on a weekly basis.