Make all compiler HTTP paths proxy-aware#2963
Merged
Merged
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3f40cb4cb9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
plajjan
pushed a commit
that referenced
this pull request
Jun 22, 2026
From review of #2963: - Drop the download-failure fallback that ran `zig fetch <remote-url>`. depUrl is always http(s) there, so downloadArchive already covers it; zig's network stack cannot traverse an HTTP CONNECT proxy, so the fallback only hung and buried the actionable proxy diagnostic behind a zig network dump. - Rethrow async exceptions (Ctrl-C, concurrent-fetch cancellation) from the network calls instead of reformatting them into a bogus proxy error, matching the rethrow-async convention used elsewhere (InterfaceFiles.tyCacheMiss). - Remove imports orphaned by the HttpFetch/ArchiveDownload extraction.
plajjan
pushed a commit
that referenced
this pull request
Jun 22, 2026
From review of #2963: - Forward GITHUB_TOKEN into the test container, and set it in the CI job, so the pkg upgrade scenario authenticates its GitHub API calls instead of sharing the runner IP's 60/hr unauthenticated limit (which rate-limited and stalled on CI). - Update the README for the pkg update / pkg upgrade scenarios and fix a stale entrypoint hint that pointed at a path from the original prototype.
plajjan
pushed a commit
that referenced
this pull request
Jun 22, 2026
From Codex review of #2963: routing the package-command hash path through downloadArchive dropped the retry that the old `zig fetch` wrapper had, so a transient 429/5xx from GitHub/codeload or a proxy aborted the command on the first try. Share one retry policy (403/429/5xx, exponential backoff) between httpGetBytes and downloadToFile, so the archive download retries transient server statuses again; connection-level failures still fail fast with the proxy diagnostic.
added 3 commits
June 22, 2026 18:02
Introduce Acton.HttpFetch -- the single proxy-aware http-client Manager, the proxy diagnostics, httpGetBytes (a body into memory, for JSON metadata) and downloadToFile (stream to a local file). Both retry transient server statuses (403/429/5xx) and fail fast on connection errors with a clean proxy diagnostic; async exceptions are rethrown rather than reported as proxy errors. Acton.ArchiveDownload adds archive-type detection on top, so downloadArchive names the temp file for `zig fetch`. Compile fetches dependencies through ArchiveDownload and no longer falls back to `zig fetch <url>`, which zig's network stack cannot traverse behind an HTTP CONNECT proxy.
The package commands had their own HTTP: newTlsManager per call site for the GitHub API and index, and zigFetchHash shelling out to `zig fetch <url>` to re-hash archives -- which fails behind an HTTP CONNECT proxy. Point the metadata calls at Acton.HttpFetch (one proxy manager, and the same clean diagnostics) and hash archives via Acton.ArchiveDownload, so install, pkg add, pkg upgrade and zig pkg add work behind a proxy.
Add a second fixture with a github dependency and run three scenarios through the proxy with no direct egress: acton fetch, pkg update and pkg upgrade -- covering the dependency archive download, the package index, and the github API ref resolution plus archive re-hash. Forward GITHUB_TOKEN (set in the CI job) so the pkg upgrade scenario authenticates instead of hitting the unauthenticated API limit on shared runner IPs.
2835720 to
c94e4a9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This finishes making the compiler's dependency and package handling work behind an HTTP proxy. Earlier work routed the dependency archive download through Haskell's http-client so it honours http_proxy and https_proxy and tunnels https via CONNECT. The package commands were left out: acton install, acton pkg add, acton pkg upgrade and acton zig pkg add re-hash an archive by shelling out to zig fetch on the remote URL, and zig's network stack does not work through an HTTP CONNECT proxy. Separately, the GitHub API and package-index calls used their own http-client manager and printed the raw http-client request record on failure.
This introduces a single proxy-aware HTTP layer, Acton.HttpFetch, that every network path shares: one proxy-aware Manager, the proxy diagnostics, httpGetBytes for fetching JSON metadata into memory, and downloadToFile for streaming a body to a local file. Acton.ArchiveDownload sits on top of it and adds archive-type detection, so downloadArchive names the temporary file for zig fetch. The dependency fetch in Acton.Compile uses ArchiveDownload, and the package commands now resolve GitHub refs and download the index through HttpFetch and re-hash archives through ArchiveDownload. The result is one proxy mechanism everywhere, zig fetch only ever running on already-downloaded local files, and the same clean proxy diagnostic on every HTTP failure instead of a raw record dump.
One behaviour change worth noting: the metadata path now fails fast on a connection-level error and shows the proxy diagnostic, instead of retrying a dead or misconfigured proxy ten times over several minutes. It still retries GitHub's rate-limit and server statuses, which is what that retry loop is for.
The docker proxy test is extended to also run acton pkg update and acton pkg upgrade through the proxy, so it now covers the GitHub API ref resolution and the archive re-hash in addition to the dependency archive download.