- pin Debian trixie Docker image to hash.
- set Dependabot to update the pin once every month.
- set Dependabot commit message prefixes to `GHA:` (to match curl).
Closes#1724
Tests started failing after touching `sshd_config`, which bumped
the test container from Debian Bookworm to Trixie, and openssh-server
from 9.2p1 to 10.0p1 with it. OpenSSH v10 no longer supports legacy KEX
algos `diffie-hellman-group*` and `diffie-hellman-group-exchange-*`,
making libssh2 require ECDSA or ED25519 to enable `curve25519-sha256*`
or `ecdh-sha2-*`, for the tests to succeed.
libgcrypt, stock Ubuntu wolfSSL, and WinCNG CI jobs broke.
- ED25519 is only supported with OpenSSL and LibreSSL 3.7+.
- ECDSA is supported by OpenSSL and mbedTLS (unless disabled),
by wolfSSL in certain cases (but not on Ubuntu 24.04 with the stock
v5.6.6 build), and by WinCNG when explicitly enabled, and targeting
Windows 10/2016 Server.
Fixed by:
- wolfSSL support received an ECDSA detection fix, that resolved
the issue with the stock Ubuntu builds, via:
b807dac921#1723
- WinCNG had ECDSA enabled in CI in the job running tests, via:
0f5843874b#1721
- to make CI pass, disable running tests with Libgcrypt in this patch.
An alternate option is to downgrade to Bookworm, with the undesired
effect that its openssh-server doesn't support ML-KEM and other modern
SSH features, meaning those could not be tested once implemented in
libssh2, e.g. in #1644.
Ref: https://www.openssh.com/txt/release-10.0
Ref: https://packages.debian.org/trixie/openssh-server
Ref: https://packages.debian.org/bookworm/openssh-server
Ref: https://packages.ubuntu.com/noble/libwolfssl-dev
Bug: https://github.com/libssh2/libssh2/pull/1718#issuecomment-3397142351
Follow-up to 4f9e6e0bfb#1718Closes#1720
Also:
- rename a spellcheck file to match curl.
- editorconfig: fix line width.
- editorconfig: make it use UTF-8.
- editroconfig: apply some rules to all files.
- .gitignore: drop dupe, drop `.DS_Store` (not created by this repo),
sort.
- .gitignore: add for tests executables.
Closes#1718
To render in Git webviews as-is, to make it easier to edit, verify,
and to sync up with curl.
- add options to not build the `.3` man pages:
- autotools: `--disable-docs`
- cmake: `LIBSSH2_BUILD_DOCS=OFF`
- building `.3` man pages requires Perl after this patch.
- drop `mansyntax` and the shell / `grep` / GNU `man` tool requirements with it.
- scripts and most logic were copied from curl.
- add `cd2nroff` from curl, with edits to relax curl-specific checks.
- used `nroff2cd` (from curl) to convert from `.3` to `.md`. Then
manually fixed copyrights, inline function references and a couple
of other things.
Credits-to: Daniel Stenberg
Ref: eefcc1bda4
Ref: https://github.com/curl/curl/pull/12730
Ref: https://github.com/libssh2/www/issues/25#issuecomment-3289431671Closes#1660
- drop redundant `--parallel` cmake option for Ninja builds.
- use Ninja for aws-lc, also simplify the script.
- use global default `MAKEFLAGS`. This also makes certain
steps faster due to missing parallelism before this patch.
- enable `-DBUILD_OSSFUZZ=ON` in a cmake job.
- split Cygwin job into steps. To sync with others.
- sync Cygwin build type name with other jobs.
Closes#1684
To avoid littering the Actions cache.
Another, libssh2-specific issue is that the cache is bound to codeql
version, master commit hash and platform. But in libssh2 we buidl 4
different configurations on Linux, which caused these caching failures:
```
C (OpenSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (wolfSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (mbedTLS) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/17744827522
It's probably something to fix, because it suggests that it's unexpected
to build multiple configs in a matrix. Perhaps it's better to build them
after each other in the build step. Though it's not yet clear how
the CodeQL engine is considering coverage for different build
configurations of the same codebase.
Ref: https://github.com/curl/curl/pull/18613
Ref: 9618c337d1
actions/upload-artifact from 4.6.1 to 4.6.2
cygwin/cygwin-install-action from 5 to 6
msys2/setup-msys2 from 2.26.0 to 2.29.0
Closes#1649Closes#1650Closes#1651
By micromanaging the project dependency and its inclusion into the test
project. It feels like an awkward construct, but perhaps better than
nothing.
It's also fragile because it's a static build with no assistance from
the external project (curl in this case). Mitigated in test by disabling
all dependencies and some features.
Since there is no special core cmake logic to be tested here, in CI
the test is tested really. To keep CI jobs at minimum, only add 3 of
them, taking 26s in total. (All 6 would take 203s.)
Follow-up to 77df767784#1589Closes#1637
Also:
- merge CI check and shellcheck jobs into a single one.
To share the same shellcheck version and less overhead.
- use `set -eu` in more scripts.
- make sure CI scripts run from any cwd.
To make it easy to run them on local machine.
- minor tidy-ups.
Closes#1618
Also:
- fix old yamllint warnings.
- make quoting more consistent.
- drop stray step name: "checkout".
- merge REUSE workflow into main CI one.
Closes#1614
It was an exercise to run old cmake versions in CI and in the test suite.
It also revealed that 3.7.2 2017-01-13 is too old to consume libssh2 via
`find_package()` due to:
```
CMake Error at bld-libssh2/_pkg/lib/cmake/libssh2/libssh2-config.cmake:35 (add_library):
add_library cannot create ALIAS target "libssh2::libssh2" because target
"libssh2::libssh2_shared" is IMPORTED.
Call Stack (most recent call first):
CMakeLists.txt:27 (find_package)
```
The mitigation for this issue requires 3.11.
Also:
- rename a few existing envs to use the `TEST_` prefix.
- make the `find_package` test provider stage verbose.
Closes#1591
- ci/GHA: add cmake integration tests for Windows.
- ci/GHA: test `add_subdirectory` with Libgcrypt.
- make them run faster with prefill, unity, Ninja, omitting curl tool.
- add support for any build configuration.
- add old-cmake support with auto-detection.
- auto-detect Ninja.
- run consumer test apps to see if they work.
Also show the cryptography backend.
- add support for Windows.
- make it more verbose.
- re-add `ExternalProject` cmake consumer test. It's broken.
- tidy up terminology.
Cherry-picked from #1581Closes#1589
- move dependency properties (libs, libdirs, C flags, header dirs,
pkg-config module names) from global lists to imported target
`INTERFACE` properties. Rework FInd modules to return their results
like this and update the libssh2 build process to use it. It makes
Find modules re-usable from the cmake-config script by libssh2
consumers, to integrate with libssh2 dependencies.
- define libssh2 dependencies as "imported targets" by the name:
`libssh2::<depname>`, e.g. `libssh2::libgcrypt`.
- cmake-config: add fall-back logic for CMake without
CMP0099 (v3.17 2020-03-20) to set lib directories.
- generate `libssh2.pc` based on imported target properties (instead of
global lists).
- add target property dump debug function.
- ci/GHA: also test cmake integration on macOS.
Follow-up to 96d7f404e7#1534Closes#1535
