Merge branch 'main' into initial-rtt-configurability

Author: robamu

.github/CODEOWNERS

@@ -1 +1 @@
-*    @KershawChang @martinthomson @larseggert
+*    @KershawChang @martinthomson @larseggert @mxinden

.github/actions/nss/action.yml

@@ -1,23 +1,34 @@
-name: Fetch and build NSS
-description: Fetch and build NSS
+name: Install NSS
+description: Install NSS
 
 inputs:
   type:
-    description: "Whether to do a debug or release build of NSS"
+    description: "When building, whether to do a debug or release build of NSS"
     default: "Release"
-
-# This step might be removed if the distro included a recent enough
-# version of NSS.  Ubuntu 20.04 only has 3.49, which is far too old.
-# (neqo-crypto/build.rs would also need to query pkg-config to get the
-# right build flags rather than building NSS.)
-#
-# Also see https://github.com/mozilla/neqo/issues/1711
+  minimum-version:
+    description: "Minimum required version of NSS"
+    required: true
 
 runs:
   using: composite
   steps:
+    - name: Install system NSS (Linux)
+      shell: bash
+      if: runner.os == 'Linux' && runner.environment == 'github-hosted'
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends libnss3-dev pkg-config
+
+    - name: Install system NSS (MacOS)
+      shell: bash
+      if: runner.os == 'MacOS' && runner.environment == 'github-hosted'
+      run: |
+        brew update
+        brew install nss
+
     - name: Check system NSS version
-      id: check
       shell: bash
       run: |
         if ! command -v pkg-config &> /dev/null; then
@@ -38,8 +49,8 @@ runs:
         fi
         NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1)
         NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2)
-        REQ_NSS_MAJOR=$(cut -d. -f1 < neqo-crypto/min_version.txt)
-        REQ_NSS_MINOR=$(cut -d. -f2 < neqo-crypto/min_version.txt)
+        REQ_NSS_MAJOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f1)
+        REQ_NSS_MINOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f2)
         if [[ "$NSS_MAJOR" -lt "$REQ_NSS_MAJOR" || "$NSS_MAJOR" -eq "$REQ_NSS_MAJOR" && "$NSS_MINOR" -lt "$REQ_NSS_MINOR" ]]; then
           echo "System NSS is too old: $NSS_VERSION"
           echo "BUILD_NSS=1" >> "$GITHUB_ENV"
@@ -70,8 +81,59 @@ runs:
       id: cache-nss
       uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
-        path: ${{ github.workspace }}/dist
-        key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ hashFiles('nss/lib/nss/nss.h') }}
+        path: |
+          ${{ github.workspace }}/dist
+          ${{ github.workspace }}/nss/out
+          ${{ github.workspace }}/nspr/Debug
+          ${{ github.workspace }}/nspr/Release
+        key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ hashFiles('nss/lib/nss/nss.h', 'nspr/pr/include/prinit.h') }}
+
+    - name: Install build dependencies (Linux)
+      shell: bash
+      if: runner.os == 'Linux' && env.BUILD_NSS == '1' && runner.environment == 'github-hosted'
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      run: sudo apt-get install -y --no-install-recommends git mercurial gyp ninja-build
+
+    - name: Install build dependencies (MacOS)
+      shell: bash
+      if: runner.os == 'MacOS' && env.BUILD_NSS == '1'
+      run: |
+        brew install mercurial ninja
+        echo "gyp-next>=0.18.1" > req.txt
+        python3 -m pip install --user --break-system-packages -r req.txt
+        echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
+
+    - name: Install build dependencies (Windows)
+      shell: bash
+      if: runner.os == 'Windows' && env.BUILD_NSS == '1'
+      run: |
+        # shellcheck disable=SC2028
+        {
+          echo C:/msys64/usr/bin
+          echo C:/msys64/mingw64/bin
+        } >> "$GITHUB_PATH"
+        /c/msys64/usr/bin/pacman -S --noconfirm python3-pip mercurial nsinstall
+        echo "gyp-next>=0.18.1" > req.txt
+        python3 -m pip install -r req.txt
+
+    - name: Set up MSVC (Windows)
+      if: runner.os == 'Windows' && env.BUILD_NSS == '1'
+      uses: ilammy/msvc-dev-cmd@v1
+      # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
+      # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
+
+    - name: Set up build environment (Windows)
+      shell: bash
+      if: runner.os == 'Windows' && env.BUILD_NSS == '1'
+      run: |
+        {
+          echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR"
+          echo "GYP_MSVS_VERSION=2022"
+          echo "BASH=$SHELL"
+        } >> "$GITHUB_ENV"
+        # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
+        rm /usr/bin/link.exe || true
 
     - name: Build
       shell: bash
@@ -82,20 +144,18 @@ runs:
           # we also want debug symbols and frame pointers for that, which the normal optimized NSS
           # build process doesn't provide.
           OPT="-o"
-          NSS_TARGET=Release
           [ "${{ runner.os }}" != "Windows" ] && export CFLAGS="-ggdb3 -fno-omit-frame-pointer"
-        else
-          NSS_TARGET=Debug
-        fi
-        if [ "${{ steps.cache-nss.outputs.cache-hit }}" != "true" ]; then
-          $NSS_DIR/build.sh -g -Ddisable_tests=1 $OPT --static
         fi
+        NSS_TARGET="${{ inputs.type }}"
         echo "NSS_TARGET=$NSS_TARGET" >> "$GITHUB_ENV"
         NSS_OUT="$NSS_DIR/../dist/$NSS_TARGET"
         echo "LD_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
         echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
         echo "$NSS_OUT/lib" >> "$GITHUB_PATH"
         echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV"
+        if [ "${{ steps.cache-nss.outputs.cache-hit }}" != "true" ]; then
+          $NSS_DIR/build.sh -g -Ddisable_tests=1 $OPT --static
+        fi
       env:
         NSS_DIR: ${{ github.workspace }}/nss
         NSPR_DIR: ${{ github.workspace }}/nspr

.github/actions/pr-comment-data-export/action.yml

@@ -31,7 +31,7 @@ runs:
           echo "${{ inputs.log-url }}" > comment-data/log-url
         fi
     - if: github.event_name == 'pull_request'
-      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
       with:
         name: ${{ inputs.name }}
         path: comment-data

.github/actions/quic-interop-runner/action.yml

@@ -83,7 +83,7 @@ runs:
         done
       shell: bash
 
-    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+    - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
       id: upload-logs
       with:
         name: '${{ inputs.client }} vs. ${{ inputs.server }} logs'
@@ -97,7 +97,7 @@ runs:
           mv result.json.tmp result.json
       shell: bash
 
-    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+    - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
       with:
         name: '${{ inputs.client }} vs. ${{ inputs.server }} results'
         path: |

.github/actions/rust/action.yml

@@ -8,26 +8,45 @@ inputs:
   components:
     description: 'Rust components to install'
     default: ''
+  tools:
+    description: 'Additional Rust tools to install'
+    default: ''
 
 runs:
   using: composite
   steps:
+    - name: Upgrade rustup (MacOS)
+      shell: bash
+      if: runner.os == 'MacOS'
+      run: brew update && brew upgrade rustup
+
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@bb45937a053e097f8591208d8e74c90db1873d07 # master
+      uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17 # master
       with:
         toolchain: ${{ inputs.version }}
         components: ${{ inputs.components }}
 
+    - name: Set up MSVC (Windows)
+      if: runner.os == 'Windows'
+      uses: ilammy/msvc-dev-cmd@v1
+      # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
+      # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
+
+    # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
+    - name: Set up build environment (Windows)
+      shell: bash
+      if: runner.os == 'Windows'
+      run: rm /usr/bin/link.exe || true
+
     - name: Install cargo-quickinstall
       shell: bash
+      if: inputs.tools != ''
       run: cargo +${{ inputs.version }} install cargo-quickinstall
 
     - name: Install Rust tools
       shell: bash
-      run: |
-        cargo +${{ inputs.version }} quickinstall --no-binstall \
-          cargo-llvm-cov cargo-nextest flamegraph cargo-hack cargo-mutants hyperfine \
-          cargo-machete cargo-fuzz
+      if: inputs.tools != ''
+      run: cargo +${{ inputs.version }} quickinstall --no-binstall $(echo ${{ inputs.tools }} | tr -d ",")
 
     # sccache slows CI down, so we leave it disabled.
     # Leaving the steps below commented out, so we can re-evaluate enabling it later.

.github/workflows/bench.yml

@@ -44,10 +44,16 @@ jobs:
         uses: ./.github/actions/rust
         with:
           version: $TOOLCHAIN
-          components: rustfmt
+          tools: hyperfine
 
-      - name: Fetch and build NSS and NSPR
+      - name: Get minimum NSS version
+        id: nss-version
+        run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT"
+
+      - name: Install NSS
         uses: ./.github/actions/nss
+        with:
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
 
       - name: Build neqo
         run: |
@@ -200,7 +206,7 @@ jobs:
           fi
           sed -E -e 's/^                 //gi' \
                  -e 's/((change|time|thrpt):[^%]*% )([^%]*%)(.*)/\1<b>\3<\/b>\4/gi' results.txt |\
-            perl -p -0777 -e 's/(.*?)\n(.*?)((No change|Change within|Performance has).*?)(\nFound .*?)?\n\n/<details><summary>$1: $3<\/summary><pre>\n$2$5<\/pre><\/details>\n/gs' |\
+            perl -p -0777 -e 's/(.*?)\n(.*?)(((No change|Change within|Performance has).*?)(\nFound .*?)?)?\n\n/<details><summary>$1: $4<\/summary><pre>\n$2$6<\/pre><\/details>\n/gs' |\
             sed -E -e 's/(Performance has regressed.)/:broken_heart: <b>\1<\/b>/gi' \
                    -e 's/(Performance has improved.)/:green_heart: <b>\1<\/b>/gi' \
                    -e 's/^ +((<\/pre>|Found).*)/\1/gi' \
@@ -231,7 +237,7 @@ jobs:
 
       - name: Export perf data
         id: export
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: ${{ github.event.repository.name }}-${{ github.sha }}
           path: |

.github/workflows/check.yml

@@ -45,60 +45,21 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - name: Install dependencies (Linux)
-        if: runner.os == 'Linux'
-        env:
-          DEBIAN_FRONTEND: noninteractive
-        run: |
-          sudo apt-get install -y --no-install-recommends libnss3-dev pkg-config lld
-          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
-
-      - name: Install dependencies (MacOS)
-        if: runner.os == 'MacOS'
-        run: |
-          brew update
-          brew install llvm nss
-          echo "/opt/homebrew/opt/llvm/bin" >> "$GITHUB_PATH"
-          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
-
-      - name: Install dependencies (Windows)
-        if: runner.os == 'Windows'
-        run: |
-          # shellcheck disable=SC2028
-          {
-            echo C:/msys64/usr/bin
-            echo C:/msys64/mingw64/bin
-          } >> "$GITHUB_PATH"
-          /c/msys64/usr/bin/pacman -S --noconfirm nsinstall
-          echo "gyp-next==0.15.0 --hash=sha256:3600f2a80fa33d3574f51bbb3d4bfc843373dafbe84059958aea3f1c9560f95a" > requirements.txt
-          python3 -m pip install --require-hashes -r requirements.txt
-          echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
-
-      - name: Set up MSVC build environment (Windows)
-        if: runner.os == 'Windows'
-        uses: ilammy/msvc-dev-cmd@v1
-        # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
-        # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
-
-      - name: Set up NSS/NSPR build environment (Windows)
-        if: runner.os == 'Windows'
-        run: |
-          {
-            echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR"
-            echo "GYP_MSVS_VERSION=2022"
-            echo "BASH=$SHELL"
-          } >> "$GITHUB_ENV"
-          # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
-          rm /usr/bin/link.exe
-
       - name: Install Rust
         uses: ./.github/actions/rust
         with:
           version: ${{ matrix.rust-toolchain }}
           components: rustfmt, clippy, llvm-tools-preview
+          tools: cargo-llvm-cov, cargo-nextest, cargo-hack, cargo-fuzz, cargo-machete
+
+      - name: Get minimum NSS version
+        id: nss-version
+        run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT"
 
-      - name: Fetch and build NSS and NSPR
+      - name: Install NSS
         uses: ./.github/actions/nss
+        with:
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
 
       - name: Build
         run: |
@@ -168,6 +129,8 @@ jobs:
           fail_ci_if_error: false
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         if: matrix.type == 'debug' && matrix.rust-toolchain == 'stable'
 
   bench:

.github/workflows/firefox.yml

@@ -113,7 +113,7 @@ jobs:
 
       - name: Export binary
         id: upload
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: ${{ runner.os }}-${{ env.FIREFOX }}-${{ matrix.type }}.tgz
           path: ${{ env.FIREFOX }}.tar
@@ -122,7 +122,7 @@ jobs:
       - run: echo "${{ steps.upload.outputs.artifact-url }}" >> artifact
 
       - name: Export artifact URL
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: artifact-${{ runner.os }}-${{ env.FIREFOX }}-${{ matrix.type }}
           path: artifact

.github/workflows/mutants.yml

@@ -22,20 +22,19 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install dependencies
-        env:
-          DEBIAN_FRONTEND: noninteractive
-        run: |
-          sudo apt-get install -y --no-install-recommends libnss3-dev pkg-config lld
-          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
+      - name: Get minimum NSS version
+        id: nss-version
+        run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT"
 
-      - name: Fetch and build NSS and NSPR
+      - name: Install NSS
         uses: ./.github/actions/nss
+        with:
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
 
       - name: Install Rust
         uses: ./.github/actions/rust
         with:
-          version: stable
+          tools: cargo-mutants
 
       - name: Find incremental mutants
         if: github.event_name == 'pull_request'
@@ -64,7 +63,7 @@ jobs:
           } > "$GITHUB_STEP_SUMMARY"
 
       - name: Archive mutants.out
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: always()
         with:
           name: mutants.out