Skip to content

Commit 0139a05

Browse files
committed
ci(sfw): scope VP_INSECURE_TLS to the Linux matrix entry only
Only Linux actually needs the TLS-bypass against sfw v1.11.0: - Linux (ubuntu-latest): runner doesn't preinstall Node 22.18 into vp's cache, so `sfw vp i -g pnpm@9.15.0` triggers vp's HttpClient to fetch nodejs.org/.../SHASUMS256.txt through sfw. rustls rejects sfw's broken CA (UnknownIssuer) — flag required. - macOS / Windows: runners already have Node 22.18 in vp's cache. vp never traverses sfw with its HttpClient in this test; the only HTTPS through sfw is npm's (lenient Node TLS). No flag needed — and leaving verification enabled there confirms the bypass is scoped, not blanket. Plumbed via a per-matrix-entry `vp_insecure_tls` value. The shared HTTP client treats an empty `VP_INSECURE_TLS` env as unset (the truthy-only parser added in the previous commit), so the empty value on macOS/Windows is a no-op.
1 parent e430085 commit 0139a05

1 file changed

Lines changed: 20 additions & 11 deletions

File tree

.github/workflows/ci.yml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -906,16 +906,25 @@ jobs:
906906
target: x86_64-unknown-linux-gnu
907907
sfw_asset: sfw-free-linux-x86_64
908908
vp_bin: vp
909+
# Only Linux needs the TLS-bypass: the ubuntu-latest runner
910+
# doesn't preinstall Node 22.18 into vp's cache, so vp's HttpClient
911+
# (rustls) fetches `nodejs.org/.../SHASUMS256.txt` through sfw and
912+
# hits the upstream EKU bug. macOS/Windows runners ship Node in
913+
# vp's cache already, so vp never calls its HttpClient through sfw
914+
# in this test — leave the verification on there.
915+
vp_insecure_tls: '1'
909916
- os: namespace-profile-mac-default
910917
target: aarch64-apple-darwin
911918
sfw_asset: sfw-free-macos-arm64
912919
vp_bin: vp
920+
vp_insecure_tls: ''
913921
- os: windows-latest
914922
target: x86_64-pc-windows-msvc
915923
sfw_asset: sfw-free-windows-x86_64.exe
916924
# On Windows vp ships as `vp.exe`; sfw spawns its child process
917925
# directly without applying PATHEXT, so the bare `vp` lookup fails.
918926
vp_bin: vp.exe
927+
vp_insecure_tls: ''
919928
runs-on: ${{ matrix.os }}
920929
steps:
921930
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
@@ -982,18 +991,18 @@ jobs:
982991
run: sfw --version
983992

984993
- name: Run `sfw vp install` against a real repo
985-
# TODO(SocketDev/sfw-free#30, SocketDev/sfw-free#43): drop `VP_INSECURE_TLS`
986-
# once sfw ships the EKU fix. Verified against sfw v1.11.0
987-
# (releases/latest as of 2026-05-28) on Linux: vp's HTTPS request to
988-
# nodejs.org through sfw still fails with
989-
# "invalid peer certificate: UnknownIssuer"
990-
# because sfw's CA carries a present-but-empty Extended Key Usage
991-
# extension that rustls rejects. macOS happened to pass only because
992-
# the runner already has Node 22.18.0 cached, so vp didn't have to
993-
# traverse sfw for SHASUMS — not a fix. Keep this flag on every
994-
# matrix entry until upstream ships the EKU fix.
994+
# TODO(SocketDev/sfw-free#30, SocketDev/sfw-free#43): drop `vp_insecure_tls`
995+
# from the Linux matrix entry once sfw ships the EKU fix. Verified
996+
# against sfw v1.11.0 (releases/latest as of 2026-05-28): on Linux,
997+
# vp's HTTPS request to nodejs.org through sfw still fails with
998+
# "invalid peer certificate: UnknownIssuer" because sfw's CA carries a
999+
# present-but-empty Extended Key Usage extension that rustls rejects.
1000+
# macOS/Windows runners cache Node 22.18 in vp's directory, so vp
1001+
# doesn't call its HttpClient through sfw — leaving TLS verification
1002+
# enabled there gives us coverage that the bypass *isn't* used on
1003+
# those platforms.
9951004
env:
996-
VP_INSECURE_TLS: '1'
1005+
VP_INSECURE_TLS: ${{ matrix.vp_insecure_tls }}
9971006
run: |
9981007
set -euo pipefail
9991008
# Force the registry-fetch path: install a pinned pnpm globally so

0 commit comments

Comments
 (0)