Revision control
Copy as Markdown
Other Tools
name: Vendor into Firefox
on:
pull_request:
merge_group:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
defaults:
run:
shell: bash
env:
CARGO_TERM_COLOR: always
jobs:
vendor:
name: Vendor into Gecko
runs-on: ubuntu-24.04
steps:
- name: Check out nss-rs
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: nss-rs
persist-credentials: false
- name: Check out Gecko
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: mozilla-firefox/firefox
path: firefox
ref: main
fetch-depth: 1
persist-credentials: false
- name: Vendor nss-rs into Gecko
working-directory: firefox
run: |
{
echo "mk_add_options MOZ_OBJDIR=../obj-firefox"
echo "ac_add_options --enable-application=browser"
echo "ac_add_options --disable-tests"
echo "ac_add_options --enable-release"
} > mozconfig
version=$(cargo metadata --manifest-path ../nss-rs/Cargo.toml --format-version 1 --no-deps \
| jq -r '.packages[] | select(.name == "nss-rs") | .version')
# Redirect the nss-rs patch to our local checkout.
# The section may or may not exist in Gecko's Cargo.toml.
python3 - <<'PYEOF'
import re, pathlib
p = pathlib.Path('Cargo.toml')
text = p.read_text()
new = 'nss-rs = { path = "../nss-rs" }'
if hdr not in text:
text += f'\n{hdr}\n'
m = re.search(re.escape(hdr) + r'\n((?:(?!\[).*\n)*)', text)
body, n = re.subn(r'(?m)^nss-rs\s*=.*', new, m.group(1))
if not n:
body = new + '\n' + body
p.write_text(text[:m.start(1)] + body + text[m.end(1):])
PYEOF
# Full re-resolve: a targeted `cargo update nss-rs` would keep the
# stale v0.9.0 lock entry (path-dep entries carry no source field,
# so cargo can't match the old entry to the changed [patch] path).
cargo update
{
echo "[[audits.nss-rs]]"
echo 'who = "CI"'
echo 'criteria = "safe-to-deploy"'
echo "version = \"$version\""
echo 'notes = "Placeholder created by CI."'
echo ""
} >> supply-chain/audits.toml
# Hide .git to prevent mach from running git operations
mv .git .git.bak
trap 'mv .git.bak .git' EXIT
if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
echo "Vendoring succeeded"
exit 0
fi
if [ ! -s vendor.log ]; then
echo "::error::Vendoring failed with no output"
exit 1
fi
if grep -qE "Vet error|Missing audit for" vendor.log; then
FAILING_CRATES=$(grep -oE '[a-zA-Z_][a-zA-Z0-9_-]*:[0-9]+\.[0-9]+' vendor.log \
| cut -d: -f1 | sort -u) || true
if echo "$FAILING_CRATES" | grep -qxF "nss-rs"; then
echo "::error::Vet failure for nss-rs"
cat vendor.log
exit 1
fi
echo "::warning::Vet failures are unrelated to nss-rs, forcing"
./mach vendor rust --ignore-modified --force
else
echo "::error::Vendoring failed for non-vet reasons:"
cat vendor.log
exit 1
fi