Skip to content

Make all compiler HTTP paths proxy-aware#2963

Merged
plajjan merged 3 commits into
mainfrom
proxy-pkg-commands
Jun 22, 2026
Merged

Make all compiler HTTP paths proxy-aware#2963
plajjan merged 3 commits into
mainfrom
proxy-pkg-commands

Conversation

@plajjan

@plajjan plajjan commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This finishes making the compiler's dependency and package handling work behind an HTTP proxy. Earlier work routed the dependency archive download through Haskell's http-client so it honours http_proxy and https_proxy and tunnels https via CONNECT. The package commands were left out: acton install, acton pkg add, acton pkg upgrade and acton zig pkg add re-hash an archive by shelling out to zig fetch on the remote URL, and zig's network stack does not work through an HTTP CONNECT proxy. Separately, the GitHub API and package-index calls used their own http-client manager and printed the raw http-client request record on failure.

This introduces a single proxy-aware HTTP layer, Acton.HttpFetch, that every network path shares: one proxy-aware Manager, the proxy diagnostics, httpGetBytes for fetching JSON metadata into memory, and downloadToFile for streaming a body to a local file. Acton.ArchiveDownload sits on top of it and adds archive-type detection, so downloadArchive names the temporary file for zig fetch. The dependency fetch in Acton.Compile uses ArchiveDownload, and the package commands now resolve GitHub refs and download the index through HttpFetch and re-hash archives through ArchiveDownload. The result is one proxy mechanism everywhere, zig fetch only ever running on already-downloaded local files, and the same clean proxy diagnostic on every HTTP failure instead of a raw record dump.

One behaviour change worth noting: the metadata path now fails fast on a connection-level error and shows the proxy diagnostic, instead of retrying a dead or misconfigured proxy ten times over several minutes. It still retries GitHub's rate-limit and server statuses, which is what that retry loop is for.

The docker proxy test is extended to also run acton pkg update and acton pkg upgrade through the proxy, so it now covers the GitHub API ref resolution and the archive re-hash in addition to the dependency archive download.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f40cb4cb9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread compiler/acton/PkgCommands.hs
plajjan pushed a commit that referenced this pull request Jun 22, 2026
From review of #2963:
- Drop the download-failure fallback that ran `zig fetch <remote-url>`. depUrl is
  always http(s) there, so downloadArchive already covers it; zig's network stack
  cannot traverse an HTTP CONNECT proxy, so the fallback only hung and buried the
  actionable proxy diagnostic behind a zig network dump.
- Rethrow async exceptions (Ctrl-C, concurrent-fetch cancellation) from the
  network calls instead of reformatting them into a bogus proxy error, matching
  the rethrow-async convention used elsewhere (InterfaceFiles.tyCacheMiss).
- Remove imports orphaned by the HttpFetch/ArchiveDownload extraction.
plajjan pushed a commit that referenced this pull request Jun 22, 2026
From review of #2963:
- Forward GITHUB_TOKEN into the test container, and set it in the CI job, so the
  pkg upgrade scenario authenticates its GitHub API calls instead of sharing the
  runner IP's 60/hr unauthenticated limit (which rate-limited and stalled on CI).
- Update the README for the pkg update / pkg upgrade scenarios and fix a stale
  entrypoint hint that pointed at a path from the original prototype.
plajjan pushed a commit that referenced this pull request Jun 22, 2026
From Codex review of #2963: routing the package-command hash path through
downloadArchive dropped the retry that the old `zig fetch` wrapper had, so a
transient 429/5xx from GitHub/codeload or a proxy aborted the command on the
first try. Share one retry policy (403/429/5xx, exponential backoff) between
httpGetBytes and downloadToFile, so the archive download retries transient
server statuses again; connection-level failures still fail fast with the proxy
diagnostic.
Kristian Larsson added 3 commits June 22, 2026 18:02
Introduce Acton.HttpFetch -- the single proxy-aware http-client Manager, the
proxy diagnostics, httpGetBytes (a body into memory, for JSON metadata) and
downloadToFile (stream to a local file). Both retry transient server statuses
(403/429/5xx) and fail fast on connection errors with a clean proxy diagnostic;
async exceptions are rethrown rather than reported as proxy errors.
Acton.ArchiveDownload adds archive-type detection on top, so downloadArchive
names the temp file for `zig fetch`. Compile fetches dependencies through
ArchiveDownload and no longer falls back to `zig fetch <url>`, which zig's
network stack cannot traverse behind an HTTP CONNECT proxy.
The package commands had their own HTTP: newTlsManager per call site for the
GitHub API and index, and zigFetchHash shelling out to `zig fetch <url>` to
re-hash archives -- which fails behind an HTTP CONNECT proxy. Point the metadata
calls at Acton.HttpFetch (one proxy manager, and the same clean diagnostics) and
hash archives via Acton.ArchiveDownload, so install, pkg add, pkg upgrade and zig
pkg add work behind a proxy.
Add a second fixture with a github dependency and run three scenarios through the
proxy with no direct egress: acton fetch, pkg update and pkg upgrade -- covering
the dependency archive download, the package index, and the github API ref
resolution plus archive re-hash. Forward GITHUB_TOKEN (set in the CI job) so the
pkg upgrade scenario authenticates instead of hitting the unauthenticated API
limit on shared runner IPs.
@plajjan plajjan force-pushed the proxy-pkg-commands branch from 2835720 to c94e4a9 Compare June 22, 2026 16:02
@plajjan plajjan merged commit b62f1bc into main Jun 22, 2026
55 checks passed
@plajjan plajjan deleted the proxy-pkg-commands branch June 22, 2026 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant